Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
How to renew your Exchange 2007 SSL-certificate, especially when using ISA Server for Publishing

This blog originally appeared on my "home blog server" at the following url:

As I am a fan of the Belgian Pro-Exchange User Group, I thought it would be owkay if I uploaded my most recent post on Exchange 2007 also here. Feel free to check out my other posts on; I will investigate in the near future if there is a possibility to have both blog sites being linked to each other, to avoid I need to upload all posts twice :-)

Here we go :



About a year ago, I wrote a post on “how to publish Exchange 2007 OWA using ISA 2006”; this time, the SSL-certificate had expired, so a renew operation was necessary. To make my ISA/OWA2007 procedure complete, I thought it could be interesting to write again how to make it work.


1) to renew the certificate for, we start by getting a list of currently installed certificates on the exchange box:

Get-ExchangeCertificate –domain “” | fl

Note the services to which the certificate is bound (by default: IIS, SMTP, IMAP, POP3); copy the thumbprint of the certificate.

2) Get a new certificate with a valid expiration date (by default, 1 year from its generation date)

Get-ExchangeCertificate –thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate –privatekeyexportable $True

(the privatekeyexportable $True is necessary to export the certificate in a valid format for ISA 2006 server to use it)

3) If the certificate is being used for SMTP as well, confirm the following prompt:

Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 4/25/009 7:37:31 AM)?
Yes Yes Angel Yes to All No No [L] No to All Sleep Suspend [?] Help
(default is "Y"):

4) The new certificate has been generated but not yet enabled; validate the new certificate again:

Get-ExchangeCertificate –thumbprint “ 3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 4/25/009 7:37:31 AM)?

Thumbprint   Services   Subject

----------   --------   -------

3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E   .....


5) To enable this new generated certificate again for the Exchange Services, use the following powershell cmdlet:

Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS, POP, SMTP, IMAP

6) As the newly generated certificate has again a private key linked to it, we can export this certificate to a PFX-file, and install it into the certificate MMC on the ISA Server. After these steps, the new certificate is bound to the Exchange 2007 WebServices internally, and bound to the ISA 2006 OWA listener.

That’s all folks,



Posted 05-15-2009 12:23 by pdtit