0

We have two Exchange 2013 servers in a fail-over cluster and DAG. Both servers are mailbox and CAS. The servers use different certificates for the 4 services (IMAP, POP, IIS, SMTP). Server1 is the primary.

Now both servers, this certificate is going to expire soon. I have done renewal of certificate for Server2, completed it in Exchange certificate screen and the new certificate got installed.

  1. But I see only IMAP and POP is showing in new certificate->services. Old certificate still showing all four services. Should I just select other two services in the new certificate, and will that take it off from the old one? What if both old and new ones have all 4 services – can I then just delete the old certificate? I can't unselect any of 4 services from old cert, the boxes are greyed out.

  2. My second question is, should I do the same thing on my primary server Server1 (renewal of certificate and moving the services and delete old one later)?

Much appreciate your advice.

arifr
  • 41
  • 4
  • 9

1 Answers1

0

The answer depends a little bit on your construct and how you have configured your MS Exchange environment (e.g. which DNS names you use).

For example if you use round robin for the SMTP port to have kind of failover you should use the same SSL certificate on both server. That means you need to export the SSL certificate on 02 (with public key) and install the same ssl certificate on the 01 server.

This is for example quite important if you use mailin.contoso.com as external MX record which then is pointed to two MS Exchange server. You wouldn´t get two ssl certificates with the same name mailin.contoso.com you would get only one...

I also wouldn´t use the GUI I would use powershell:

Enable-ExchangeCertificate -Server 'exch02' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'EDF57B5F9D81F1EC329BFB77ADD4465B426A40FB'

After that you can restart the IIS via:

iisreset /noforce

Additional: I wouldn´t delete the old certificate, use MMC, do a export (with public key) then store it somewhere. Then you could re-import it and change the config so that it fits the old one. If you hard delete it without having a backup there would be no way back then.

BastianW
  • 2,868
  • 4
  • 20
  • 34
  • I selected IIS and SMTP services under the certificate on Server2. Everything was looking working fine and even on OWA I saw new certificate information, however when I was trying ECP, it was just failing to log-in. After I put my ID, password and hit enter, there was a slight flicker, didn't accept log-in, but no message, same log-in screen. I followed some post on similar issue where it was said to recreate virtual directories and reset IIS and app-pools. What I did was reset IIS only, and then it worked. I have to do the same thing on Server1. – arifr Aug 02 '17 at 04:38
  • Restarting IIS is a good approach. However I personally wouldn´t start re-creating virtual directories here when dealing with ssl certificate issues as I personally would say that this might not help here and might cause a lot of different other issues. P.S. if that helps please accept this answer then, so that we can close this question here on ServerFault. – BastianW Aug 02 '17 at 06:10