We have two Exchange 2013 servers in a fail-over cluster and DAG. Both servers are mailbox and CAS. The servers use different certificates for the 4 services (IMAP, POP, IIS, SMTP). Server1 is the primary.
Now both servers, this certificate is going to expire soon. I have done renewal of certificate for Server2, completed it in Exchange certificate screen and the new certificate got installed.
-
But I see only IMAP and POP is showing in new certificate->services. Old certificate still showing all four services. Should I just select other two services in the new certificate, and will that take it off from the old one? What if both old and new ones have all 4 services – can I then just delete the old certificate? I can't unselect any of 4 services from old cert, the boxes are greyed out.
-
My second question is, should I do the same thing on my primary server Server1 (renewal of certificate and moving the services and delete old one later)?
Much appreciate your advice.
Best Answer
The answer depends a little bit on your construct and how you have configured your MS Exchange environment (e.g. which DNS names you use).
For example if you use round robin for the SMTP port to have kind of failover you should use the same SSL certificate on both server. That means you need to export the SSL certificate on 02 (with public key) and install the same ssl certificate on the 01 server.
This is for example quite important if you use mailin.contoso.com as external MX record which then is pointed to two MS Exchange server. You wouldn´t get two ssl certificates with the same name mailin.contoso.com you would get only one...
I also wouldn´t use the GUI I would use powershell:
After that you can restart the IIS via:
Additional: I wouldn´t delete the old certificate, use MMC, do a export (with public key) then store it somewhere. Then you could re-import it and change the config so that it fits the old one. If you hard delete it without having a backup there would be no way back then.