Renewing SBS2011 Exchange Self-Signed Certificate w/o changing home page in IE?
Solution 1
In the exchange management shell run Get-ExchangeCertificate
to get the thumbprint on the cert you're trying to renew then run the following:
Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate | Enable-ExchangeCertificate -services pop,imap,smtp,iis
Solution 2
If using SBS2011 then
- Start the Windows SBS2011 Standard Console
- Click on the Network icon in the top bar, then click the Connectivity tab
- Wait for the panel in the right to become active and then click on 'Fix My Network'
- Let the wizard search for problems.
- One of the problems it should find is the expired certificate.
- Clear all the checkboxes except the certificate one and click Next
This will then re-issue a new self signed certificate on the server.
Solution 3
I did this in SBS2011:
Open Exchange Management Console > navigate to Server Configuration and review the Certificates in the right panel
Identify the certificate that has expired (take note of the subject name and the services)
Start ExMngmtnShell as Administrator
type Get-ExchangeCertificate to list the installed certificates
Match the certificate to the expired certificate (using subject the name and services) from the Console then copy the associated thumbprint
Type Get-ExchangeCertificate –Thumbprint INSERTTHUMBPRINTHERE | New-ExchangeCertificate
Type Y to renew the certificate
You can confirm the new certificate is installed and associated with the correct services either by running Step 4 or Step 1/2.
Remove the old expired certificate either from the Console or from the Shell using Remove-ExchangeCertificate -Thumbprint INSERTTHUMBPRINTHERE
Note: I had to restart the server for the certificate to take effect.
Related videos on Youtube
Adam Hart
Updated on September 18, 2022Comments
-
Adam Hart almost 2 years
On a previous server when we used the built in SBS wizard to renew the certificate it worked, however it reset all of the computers on the domain's IE home page to companyweb.
Is there a way to do the renew without resetting everyone homepage?
-
Dylan Knoll about 8 yearsAs somebody who has experience with SBS 2011 (unfortunately...), I would strongly recommend never using the SBS panel provided... it has all kinds of quirks like the one you've just described. Use MMC snap-ins or Powershell.
-
-
Adam Hart almost 11 yearsPerfect, just verified with my other tech that this is the answer we were looking for. Thanks.
-
user162383 almost 8 yearsAll the answers here that advocate using PS are correct for a given value of correct but this one is the best. This method will cause the SBS internal Certificate Authority to be used to generate the new certificate. The PS methods will generate a self signed cert. There is a difference - all the PCs and the server should have the SBS CA cert as trusted and hence will automatically trust the cert generated by the fix my network wizard. The PS generated one will not be trusted automatically.
-
I say Reinstate Monica almost 7 yearsYou do not need to restart the SBS Console or the server for the renewed certificate to take effect.
-
Markus Rudel almost 6 yearsI've had a SBS2011 with self-signed certs which expired a few days ago. This command helps with the renewal of the exchange cert, however, you'll end up with a self-signed certificate without root CA and need to trust that new certificate on your machines. I wonder if its possible to do the update of the cert, using a self signed CA and automatically trusting it on all machines in AD.