I'm currently struggling with understanding how Exchange Certificates are uploaded and managed on servers. I've found the following How to Renew SSL Certificate for Exchange 2013 Server Step by Step Guide, but it doesn't seem to cover adding the certificate to the Exchange OWA sites, nor does it state how to verify what services should be checked on the new certificate. I'm just extra cautious about updating the certificate because there are multiple certificates already in the Exchange Control Panel> Servers> Certificates
, and they all seem to be covering different services.
Is there a way to verify what Services I should be replacing? (see Scope)
Do service certificates automatically get replaced by the new certificate once the new certificate has a service selected or do the old certificates have to be unchecked?
Is there anything I need to do to ensure the websites, like ECP, OWA, etc., also get updated?
Scope
- New GoDaddy Certificate
mail.domain.com
to replace a digicert ssl - 2 Exchange Servers: EXCH1, EXCH2
mail.domain.com
has a ECP site, Autodiscovery, and OWA site- self signed certificates (? unsure if these matter for the replacement)
- current services that seem to be covered by
digicert
: IMAP, POP, IIS, SMTP - current services that seem to be covered by
Microsoft Exchange
Self Signed Cert: SMTP, IIS - current services that seem to be covered by
Microsoft Exchange Server Auth Certificate
: SMTP
Instructions from the Step by Step Guide
How to Renew SSL Certificate for 2013 Step by Step
1) Creating a new CSR (Certificate signing request)
- Open EAC or Exchange Admin Center Web page.
- Navigate to Servers section.
- Click on Certificates Option.
- Select Server Name.
- Click on Certificate you need to renew.
- Click on Renew option.
- Save the new CSR request to your desired UNC path.
- Submit the CSR request to generate a new certificate with your 3rd party Certificate vendor.
- Download the new certificate.
2) Installing new certificate
- Open EAC or Exchange Admin Center Web page.
- Navigate to Servers section.
- Click on Certificates Option.
- Select Server Name.
- Now Select Certificate with status "Pending Request".
- Right-hand side, click on the complete option.
- Now enter the UNC path for new downloaded Certificate.
3) Assign New Certificate to Services like IIS, SMTP, IMAP or POP
- Open EAC or Exchange Admin Center Web page.
- Navigate to Servers section.
- Click on Certificates Option.
- Select Server Name.
- Select the new certificate.
- Click on Edit Icon.
- Click on Services option.
- Click on the Services checkbox you want to assign and save.
- Certificate renew completed for the single server.
Note: If you have more than one Exchange server. Move to Step 4.
4) Exporting Certificate from First Exchange Server in the same Org.
- Export certificate from the server you first renewed or installed.
- Open EAC or Exchange Admin Center Web page.
- Navigate to Servers section.
- Click on Certificates Option.
- Select First Server Name.
- Select the new certificate you want to export.
- Click on “…” or more icon and select Export Exchange Certificate.
- Enter the UNC path, where you want to export the new certificate.
- Provide the password and follow rest of the steps.
5) Importing Certificate on Other Exchange Servers in the same Org.
- Open EAC or Exchange Admin Center Web page.
- Navigate to the Servers section.
- Click on the Certificates Option.
- Click on “…” or more icon.
- Click Import Exchange Certificate
- Enter the UNC path for the exported certificate you did in step 4 above.
- Enter the password you gave in step 4 above.
- Now click on "+" icon and add your other Exchange 2013 servers.
- Follow Wizard and finish the import process.
6) Assign Services on other Exchange servers.
• Follow Step 3.
You don't assign the certificate to sites (OWA, etc.), you assign it to services (IIS, SMTP, etc.) , which in turn uses it for the sites, services, protocols.
https://docs.microsoft.com/en-us/exchange/architecture/client-access/assign-certificates-to-services?view=exchserver-2019
Agree with joeqwerty, services using the certificate that we are managing are all services that rely on IIS (OWA, EAC, Web Services, Active Sync, Outlook Anywhere, Autodiscover and OAB), legacy protocols such as POP and IMAP, and SMTP for TLS.
In addition, when you assign services to the new certificate, after clicking Save, you will receive a notification that remind you to to overwrite the existing certificate.
For more details: Certificate requirements by service