5

On a previous server when we used the built in SBS wizard to renew the certificate it worked, however it reset all of the computers on the domain's IE home page to companyweb.

Is there a way to do the renew without resetting everyone homepage?

Adam Hart
  • 93
  • 1
  • 2
  • 6
  • As somebody who has experience with SBS 2011 (unfortunately...), I would strongly recommend never using the SBS panel provided... it has all kinds of quirks like the one you've just described. Use MMC snap-ins or Powershell. – Dylan Knoll May 13 '16 at 23:50

5 Answers5

9

In the exchange management shell run Get-ExchangeCertificate to get the thumbprint on the cert you're trying to renew then run the following:

Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate | Enable-ExchangeCertificate -services pop,imap,smtp,iis
JohannesM
  • 166
  • 2
  • 13
David V
  • 840
  • 1
  • 8
  • 15
  • Perfect, just verified with my other tech that this is the answer we were looking for. Thanks. – Adam Hart Jul 25 '13 at 13:58
  • I've had a SBS2011 with self-signed certs which expired a few days ago. This command helps with the renewal of the exchange cert, however, you'll end up with a self-signed certificate without root CA and need to trust that new certificate on your machines. I wonder if its possible to do the update of the cert, using a self signed CA and automatically trusting it on all machines in AD. – Markus Rudel Sep 15 '18 at 13:37
9

If using SBS2011 then

  1. Start the Windows SBS2011 Standard Console
  2. Click on the Network icon in the top bar, then click the Connectivity tab
  3. Wait for the panel in the right to become active and then click on 'Fix My Network'
  4. Let the wizard search for problems.
  5. One of the problems it should find is the expired certificate.
  6. Clear all the checkboxes except the certificate one and click Next

This will then re-issue a new self signed certificate on the server.

Community
  • 1
Paul Marsden
  • 91
  • 1
  • 4
  • 1
    All the answers here that advocate using PS are correct for a given value of correct but this one is the best. This method will cause the SBS internal Certificate Authority to be used to generate the new certificate. The PS methods will generate a self signed cert. There is a difference - all the PCs and the server should have the SBS CA cert as trusted and hence will automatically trust the cert generated by the fix my network wizard. The PS generated one will not be trusted automatically. – user162383 Aug 25 '16 at 09:04
2

I did this in SBS2011:

  1. Open Exchange Management Console > navigate to Server Configuration and review the Certificates in the right panel

  2. Identify the certificate that has expired (take note of the subject name and the services)

  3. Start ExMngmtnShell as Administrator

  4. type Get-ExchangeCertificate to list the installed certificates

  5. Match the certificate to the expired certificate (using subject the name and services) from the Console then copy the associated thumbprint

  6. Type Get-ExchangeCertificate –Thumbprint INSERTTHUMBPRINTHERE | New-ExchangeCertificate

  7. Type Y to renew the certificate

  8. You can confirm the new certificate is installed and associated with the correct services either by running Step 4 or Step 1/2.

  9. Remove the old expired certificate either from the Console or from the Shell using Remove-ExchangeCertificate -Thumbprint INSERTTHUMBPRINTHERE

Note: I had to restart the server for the certificate to take effect.

TeeC
  • 21
  • 2
0

Thank you TeeC

The only step I had to do to fix Phones as well as RPC over HTTP in outlook clients not being able to connect was to assign the correct certificate to IIS... For some reason the renewal removed it... However, it was an easy fix: (After many searches)

From the exchange 2010 console go to servers, find the certificate for the site your phones point to on the below column right click and select assign to services and select IIS, and click finish

Else from Ps

enable-exchangecertificate -thumbprint xxxxxxxxx -services iis

You will have to restart IIS after this. you should see the certificate in the browser

MrJoelieC
  • 1
-1

This worked for me:

  1. Start ExMngmtnShell as Administrator

  2. type Get-ExchangeCertificate to list the installed certificates

  3. Match the certificate to the expired certificate (using subject the name and services) from the Console then copy the associated thumbprint

  4. Type Get-ExchangeCertificate –Thumbprint INSERTTHUMBPRINTHERE | New-ExchangeCertificate

  5. Type Y to renew the certificate

  6. Restart SBS2008/2011 Console or restart server.

Tom
  • 1