Renew Exchange 2010 Self-Signed Certificate
The default self-signed Exchange 2010 certificate is valid for a period of 5 years. It’s pretty easy to forget about the certificate’s expiration date unless you’ve set a reminder of some sort. Depending on what uses this self-signed cert, it may not cause a major issue. However, chances are that the Exchange self-signed certificate is being used somewhere in your organization. For example, if you are using Orion Solarwinds and WinRM to monitor your Exchange servers and the cert expires, then Solarwinds will not be able to monitor the Exchange servers until you renew the certificate in Exchange. Follow the steps below to renew Exchange 2010 self-signed certificates.
You may notice the following error on your Exchange server/s:
EventID=142 Source=WinRM Description= WSMan operation SignalShell failed error code 995
Powershell errors; error code 995 + HTTP_STATUS_DENIED
You may also notice the following error on your Orion Solarwinds management server/s:
Connecting to remote server failed with the following error message : The SSL connection cannot be established. Verify that the service on the remote host is properly configured to listen for HTTPS requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig -transport:https”. For more information, see the about_Remote_Troubleshooting Help topic.”
1. Verify WinRM
The first thing to try is running the winrm command as the above paragraph state to do. Run the following command as an administrator on the Exchange server from a command line:
winrm quickconfig -transport:https
In my case, it ran successfully. Once you’ve verified you do not have an issue with WinRM, then check the status of the Exchange self-signed certificate.
Renew Exchange self-signed certificate
1. Log onto the Exchange 2010 server/s, open EMC (Exchange Management Console). Expand your Exchange Server and select Server Configuration and highlight the server/s in question. You will notice the self-signed certificate has expired.
Get-ExchangeCertificate -Thumbprint ‘2borb319fg55cd442bf379876xxc6c8322a58679’ | New-ExchangeCertificate
** – Note: the thumbprint is the thumbprint you made note of in step #2
Remove old Exchange self-signed certificate
4. You will notice a new self-signed certificate in the EMC. You should now remove the old cert by right-clicking on the old cert and selecting Remove.
Bind new self-signed certificate to Exchange
5. The next step is to bind the new cert to Exchange (if necessary). Do this by opening IIS on the Exchanger server/s. Expand Sites and then right-click the Default Web Site (most likely) and select Edit Bindings.
6. Look for type “https” and port “443“, highlight it and select Edit.
7. Now bind the Exchange self-signed certificate to the Exchange service and select OK..
Verify the certificate
8. Now it is time to verify the new self-signed certificate is working. Do this by opening a browser and navigating your the following URL. Replace “server” with your Exchange server name.
If it works, then you will see a result similar to the one below:
If it DOES NOT work, then you may see a screen like the one below:
If for some reason it doesn’t work, try doing an IISReset on the Exchange server/s in question and check it again.
Finally, check the applications that that were using this self-signed certificate in the first place such as Orion Solarwinds or any other application to make sure that it is now working.
Thanks Mate.
This was helpful. Thanks for the post.
So glad this was helpful. Thanks for commenting!
Useful and concise.
This Really Helped me update our certificates. Simple and fast procedure. Thanks George
That is great to hear! Thank you for posting!
This is still helping people!
Thanks.
Alan, thanks for commenting. I know Exchange 2010 is old but you’re right, there are still plenty of on-prem environments out there. Glad this helped.
My self signed cert CN is exchange2010.domain.local and SMTP service only enabled. I have a Geotrust SSL for all external communications. Checking my IIS bindings it shows my Geotrust bound to port 443. SO i would imagine that your steps 5-8 regarding IIS would not apply to my situation? It would just be a matter of getting self signed thumbprint, then running the command Get-ExchangeCertificate -Thumbprint ‘2borb319fg55cd442bf379876xxc6c8322a58679’ | New-ExchangeCertificate ? I understand this command will take the parameters of current ssl (CN and SMTP service bound) and create a new self signed cert. Once this is done i would remove… Read more »
Tecboy, you are correct. If you have a public cert already bound to your site, then THAT is the cert you need to worry about. However, if you use the EXS self-signed cert for anything else internally like SNMP/WMI, then you would most likely need to renew it. In the example I give in this post, we used the self-signed cert in our Orion application to monitor our Exchange servers. When the cert expired, Orion was no longer able to monitor the servers until we renewed the certificate. If you are using the EXS self-signed cert for any SNMP or… Read more »
thanks george for the simple, clear and very helpful instructions. worked perfectly. i do this step once every few years, it used to look messy but you help make sense of the process and very helpful. thanks from Australia. cheers 🙂
Ali- So happy this post was helpful to you. Thank you for commenting!
Great information. used this to renew my self-cert. I got an error though while trying to bind the certificate so instead used assign to services within EMC
Thank you for your comments Aknox. Happy the post helped you! Cheers!
Hi George, My ssl certificate for wmsvc is self signed in exchange 2010 which is about to expire. this cert does have any services however we use external cert provider for iis and smtp. my question do i still need to renew emsvc cert ?
Thank you for your question. If you are using 3rd party certs for smtp, then I would not think you would need to worry about the self signed certs.
However, if you find something stopped working on the day the certificate expires, then just go through the process of renewing the self signed exs certs outlined in the blog post.
It sounds like your not using it for anything so you should be ok.
Thanks and good luck!
This information was very helpful with one Exchange 2010 server that I manage. I stumbled into it after a couple of days of trying another option. Everything worked like a champ. Thanks for the post!
This information was very helpful.
Thank you
So glad this article is still helping folks out there! Thank you for commenting.