but it worked in the staging environment...

How to renew your Exchange 2007 SSL-certificate, specifically when using ISA 2006 as publishing server

PDT IT Services Blog Posts

About a year ago, I wrote a post on “how to publish Exchange 2007 OWA using ISA 2006”; this time, the SSL-certificate had expired, so a renew operation was necessary. To make my ISA/OWA2007 procedure complete, I thought it could be interesting to write again how to make it work.


1) to renew the certificate for, we start by getting a list of currently installed certificates on the exchange box:

Get-ExchangeCertificate –domain “” | fl

Note the services to which the certificate is bound (by default: IIS, SMTP, IMAP, POP3); copy the thumbprint of the certificate.

2) Get a new certificate with a valid expiration date (by default, 1 year from its generation date)

Get-ExchangeCertificate –thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate –privatekeyexportable $True

(the privatekeyexportable $True is necessary to export the certificate in a valid format for ISA 2006 server to use it)

3) If the certificate is being used for SMTP as well, confirm the following prompt:

Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 4/25/009 7:37:31 AM)?
Yes Yes Angel Yes to All No No [L] No to All Sleep Suspend [?] Help
(default is "Y"):

4) The new certificate has been generated but not yet enabled; validate the new certificate again:

Get-ExchangeCertificate –thumbprint “ 3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 4/25/009 7:37:31 AM)?

Thumbprint   Services   Subject

----------   --------   -------

3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E   .....


5) To enable this new generated certificate again for the Exchange Services, use the following powershell cmdlet:

Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS, POP, SMTP, IMAP

6) As the newly generated certificate has again a private key linked to it, we can export this certificate to a PFX-file, and install it into the certificate MMC on the ISA Server. After these steps, the new certificate is bound to the Exchange 2007 WebServices internally, and bound to the ISA 2006 OWA listener.

That’s all folks,



Posted apr 26 2009, 05:38 by Peter De Tender


Exchange 2007 wrote How to renew your Exchange 2007 SSL-certificate, especially when using ISA Server for Publishing
on 05-15-2009 12:26

This blog originally appeared on my "home blog server" at the following url: http://trycatch

All content (c) its respective blog author.
Powered by Community Server (Commercial Edition), by Telligent Systems