Renew Exchange 2010 Self-Signed Certificate

The default self-signed Exchange 2010 certificate is valid for a period of 5 years. It’s pretty easy to forget about the certificate’s expiration date unless you’ve set a reminder of some sort. Depending on what uses this self-signed cert, it may not cause a major issue. However, chances are that the Exchange self-signed certificate is being used somewhere in your organization. For example, if you are using Orion Solarwinds and WinRM to monitor your Exchange servers and the cert expires, then Solarwinds will not be able to monitor the Exchange servers until you renew the certificate in Exchange. Follow the steps below to renew Exchange 2010 self-signed certificates.

You may notice the following error on your Exchange server/s:

EventID=142 Source=WinRM Description= WSMan operation SignalShell failed error code 995

Powershell errors; error code 995 + HTTP_STATUS_DENIED

You may also notice the following error on your Orion Solarwinds management server/s:

Connecting to remote server failed with the following error message : The SSL connection cannot be established. Verify that the service on the remote host is properly configured to listen for HTTPS requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig -transport:https”. For more information, see the about_Remote_Troubleshooting Help topic.”

1. Verify WinRM
The first thing to try is running the winrm command as the above paragraph state to do. Run the following command as an administrator on the Exchange server from a command line:

winrm quickconfig -transport:https

In my case, it ran successfully. Once you’ve verified you do not have an issue with WinRM, then check the status of the Exchange self-signed certificate.

Renew Exchange self-signed certificate
1. Log onto the Exchange 2010 server/s, open EMC (Exchange Management Console). Expand your Exchange Server and select Server Configuration and highlight the server/s in question. You will notice the self-signed certificate has expired.

solarwindsexs1
2. Right-click the cert and select Open. Select the Details tab and then select Thumbprint. Copy or make note of the certificate’s thumbprint. You will need this in order to renew the self-signed certificate.
solarwindsexs5  solarwindsexs9
3. Renew the NAHQEXS23 self-signed cert using its thumbprint to identify the cert using the following powershell command. Of course, you will need to open the Exchange Management Shell as an administrator prior to excuting the command below.

Get-ExchangeCertificate -Thumbprint ‘2borb319fg55cd442bf379876xxc6c8322a58679’ | New-ExchangeCertificate

** – Note: the thumbprint is the thumbprint you made note of in step #2

Remove old Exchange self-signed certificate
4. You will notice a new self-signed certificate in the EMC. You should now remove the old cert by right-clicking on the old cert and selecting Remove.

Bind new self-signed certificate to Exchange
5. The next step is to bind the new cert to Exchange (if necessary). Do this by opening IIS on the Exchanger server/s. Expand Sites and then right-click the Default Web Site (most likely) and select Edit Bindings.

6. Look for type “https” and port “443“, highlight it and select Edit.
solarwindsexs3

7. Now bind the Exchange self-signed certificate to the Exchange service and select OK..
solarwindsexs2

Verify the certificate
8. Now it is time to verify the new self-signed certificate is working. Do this by opening a browser and navigating your the following URL. Replace “server” with your Exchange server name.

https://server/powershell

If it works, then you will see a result similar to the one below:
solarwindsexs10

If it DOES NOT work, then you may see a screen like the one below:

solarwindsexs7

If for some reason it doesn’t work, try doing an IISReset on the Exchange server/s in question and check it again.

Finally, check the applications that that were using this self-signed certificate in the first place such as Orion Solarwinds or any other application to make sure that it is now working.

George Almeida

Welcome to my little corner of the blogosphere. I'm an Information Technology manager for a Fortune 500 company. I specialize in Windows operating systems, applications, servers, storage, networks and also have a technical background on the IBM iSeries platform. My only purpose for this blog is the hope that it helps someone, someday, somewhere. Any meager proceeds derived from our sponsors will be donated to charity.

You may also like...

Leave a Reply

6 Comments on "Renew Exchange 2010 Self-Signed Certificate"

avatar
newest oldest most voted
Toshky
Guest

Thanks Mate.

Ditoboisy
Guest

This was helpful. Thanks for the post.

YoYo
Guest

Useful and concise.

AmanDo
Guest

This Really Helped me update our certificates. Simple and fast procedure. Thanks George