A self-signed Microsoft Exchange 2007 Security Certificate is valid for a period of one year. After this period you’re required to re-issue a new certificate. This can be done using EMS (Exchange Management Shell) and the New-ExchangeCertificate CommandLet (cmdlet).
If you do not update / reissue the certificate, Outlook will complain about this issue displaying a Security Warning on the users display (this one’s in German).
Step-by-step (quick tutorial):
- Open a EMS (Exchange Management Shell). On Windows 2008 Server you should do this ‘elevated’ / run as admin.
- Check your existing Exchange Certificate using Get-ExchangeCertificate cmdlet
- Check the values ‘NotAfter’ and ‘NotBefore’. These values show you the validity period for the certificate. Note down the value ‘Thumbprint’ – this value identifies the certificate. We need that value a later step.
- Now create a new Exchange Certificate using the New-ExchangeCertificate cmdlet.
- Now you have to enable the new generated certificate using ‘Enable-ExchangeCertificate’ cmdlet. To do this, you need to specify the ThumbPrint of the certificate and the desired Services. In this illustration we enable the certificate for IMAP, POP, IIS and SMTP.
- Now it’s time to clean up. Using Remove-ExchangeCertificate you can remove the old and expired Exchange Certificate. As mentioned in Step 2 / 3 you now need the ThumbPrint value of the old certificate to successfully execute this cmdlet
Other cmdlets that relate to this issue are:
Now you’re done. If you have any suggestions, corrections or additions, feel free to write a comment.