Renew Exchange 2010 Self-Signed Certificate
The default self-signed Exchange 2010 certificate is valid for a period of 5 years. It’s pretty easy to forget about the certificate’s expiration date unless you’ve set a reminder of some sort. Depending on what uses this self-signed cert, it may not cause a major issue. However, chances are that the Exchange self-signed certificate is being used somewhere in your organization. For example, if you are using Orion Solarwinds and WinRM to monitor your Exchange servers and the cert expires, then Solarwinds will not be able to monitor the Exchange servers until you renew the certificate in Exchange. Follow the steps below to renew Exchange 2010 self-signed certificates.
You may notice the following error on your Exchange server/s:
EventID=142 Source=WinRM Description= WSMan operation SignalShell failed error code 995
Powershell errors; error code 995 + HTTP_STATUS_DENIED
You may also notice the following error on your Orion Solarwinds management server/s:
Connecting to remote server failed with the following error message : The SSL connection cannot be established. Verify that the service on the remote host is properly configured to listen for HTTPS requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig -transport:https”. For more information, see the about_Remote_Troubleshooting Help topic.”
1. Verify WinRM
The first thing to try is running the winrm command as the above paragraph state to do. Run the following command as an administrator on the Exchange server from a command line:
winrm quickconfig -transport:https
In my case, it ran successfully. Once you’ve verified you do not have an issue with WinRM, then check the status of the Exchange self-signed certificate.
Renew Exchange self-signed certificate
1. Log onto the Exchange 2010 server/s, open EMC (Exchange Management Console). Expand your Exchange Server and select Server Configuration and highlight the server/s in question. You will notice the self-signed certificate has expired.
Get-ExchangeCertificate -Thumbprint ‘2borb319fg55cd442bf379876xxc6c8322a58679’ | New-ExchangeCertificate
** – Note: the thumbprint is the thumbprint you made note of in step #2
Remove old Exchange self-signed certificate
4. You will notice a new self-signed certificate in the EMC. You should now remove the old cert by right-clicking on the old cert and selecting Remove.
Bind new self-signed certificate to Exchange
5. The next step is to bind the new cert to Exchange (if necessary). Do this by opening IIS on the Exchanger server/s. Expand Sites and then right-click the Default Web Site (most likely) and select Edit Bindings.
6. Look for type “https” and port “443“, highlight it and select Edit.
7. Now bind the Exchange self-signed certificate to the Exchange service and select OK..
Verify the certificate
8. Now it is time to verify the new self-signed certificate is working. Do this by opening a browser and navigating your the following URL. Replace “server” with your Exchange server name.
If it works, then you will see a result similar to the one below:
If it DOES NOT work, then you may see a screen like the one below:
If for some reason it doesn’t work, try doing an IISReset on the Exchange server/s in question and check it again.
Finally, check the applications that that were using this self-signed certificate in the first place such as Orion Solarwinds or any other application to make sure that it is now working.