Exchange 2013: Renewing Your Expiring SSL Certificate with the DigiCert Utility
These instructions show you how to use the DigiCert® Certificate Utility for Windows to create your CSR (certificate signing request) and then to install your SSL Certificate. Then, they show how to use the Exchange Admin Center to assign the services to the new SSL Certificate.
To Renew Your Exchange 2013 SSL Certificate:
-
Create your CSR.
-
Install your new SSL Certificate.
-
Configure or assign your new SSL Certificate.
See Exchange 2013: Assign the Certificate with Exchange Admin Center.
1. Create Your CSR with the DigiCert Utility
Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.
-
On your Exchange 2013 server with the expiring certificate, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).
-
Run the DigiCert® Certificate Utility for Windows.
Double-click DigiCertUtil.
-
In DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the expiring certificate that you want to renew, and then, click Create CSR.
-
In the "Would you like to import the attributes from 'certificate' into the new CSR?" window, click Yes.
-
On the Create CSR page, verify that all the certificate details are correct, and then click Generate.
-
On DigiCert Certificate Utility for Windows© - Renew Certificate page, do one of the following, and then, click Close:
Click Copy CSR. Copies the certificate contents to the clipboard. If you use this option, we recommend that you paste the CSR into a tool such as Notepad. If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it. Click Save to File. Saves the CSR as a .txt file to the Windows server. We recommend that you use this option.
Renew your SSL certificate
Renew your SSL certificate from inside your DigiCert CertCentral account.
Are you new to the DigiCert team? You can "replace" your certificate with a DigiCert certificate. Order your new certificate here - Purchase Your DigiCert Certificate.
-
Sign in to your CertCentral account.
-
In CertCentral, in the left main menu, click Certificates > Expiring Certificates.
-
On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.
A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.
-
Follow the instructions provided inside your account to renew your SSL certificate.
-
Add your CSR
When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.
You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it to or Paste it in the Add Your CSR box.
-
After placing the order to renew your certificate, DigiCert verifies your information.
-
If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.
2. Import Your SSL Certificate with the DigiCert Utility
After DigiCert issues your renewal SSL Certificate, run the DigiCert Certificate Utility to import it to your Exchange 2013 server.
-
After receiving your new certificate file from DigiCert, save the file to the Exchange 2013 server where you created the CSR.
-
On the same server, run the DigiCert® Certificate Utility for Windows.
Double-click DigiCertUtil.
-
In DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.
-
In the Certificate Import wizard, click Browse to browse to the .pfx certificate file (i.e. mail_yourdomain_com.pfx), select the file, and click Open, and then, click Next.
-
In the Password box, enter the password for the .pfx file and then click Next.
-
In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.
Note: The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
Click Finish to import the SSL Certificate (.pfx file) to your Exchange 2013 server.
You should receive a message that the certificate was successfully imported. You should now see your SSL Certificate in the DigiCert Certificate Utility for Windows©, under SSL Certificates.
-
You can now assign services to your SSL Certificate in the Exchange Admin Center.
3. Exchange 2013: Assign the Certificate with Exchange Admin Center
-
Open the Exchange Admin Center (navigate to https://localhost/ecp).
-
In Exchange Admin Center, in the menu on the left, click Servers and then in the menu at the top of the Servers section, click Certificates.
-
In the Certificates section, select your newly imported certificate (listed by its Friendly Name) and then, click the Edit symbol (pencil).
-
On your "Certificate's" page, in the menu on the left, click Services.
-
In the Specify the services that you want to assign this certificate section, check the services (i.e. SMTP, IMAP, POP, and IIS ) that you want to enable for your new SSL Certificate and then, click save.
-
Your SSL Certificate should now be installed and configured with the services that you selected for use with Exchange 2013.
Test your Installation
To verify that the installation is correct, use our DigiCert® SSL Installation Diagnostics Tool and enter the DNS name of the site (i.e. www.yourdomain.com, or mail.yourdomain.com) that you are securing to test your SSL Certificate.
Troubleshooting
If you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors contact support.