Can I renew an Exchange SSL certificate without downtime?

Yes, you can install a new certificate before the old one expires, then switch the IIS binding. Use Enable-ExchangeCertificate to assign services to the new certificate, then update IIS bindings with minimal disruption.

What services are affected by an expired SSL certificate?

All Exchange services using HTTPS are affected: OWA, ECP, EWS, Autodiscover, ActiveSync, MAPI over HTTP, and Outlook Anywhere. Outlook clients may disconnect and refuse to connect until the certificate is renewed.

How do I get a new SSL certificate for Exchange?

Generate a certificate request using New-ExchangeCertificate, submit to a Certificate Authority (internal CA or public like DigiCert, Comodo), import the response, and assign Exchange services using Enable-ExchangeCertificate.

How long does it take to fix an expired Exchange certificate?

If you have a replacement certificate ready, the fix takes 10-15 minutes. If you need to request a new certificate from a public CA, allow 1-24 hours for issuance plus 15 minutes for installation.

Can I renew an Exchange SSL certificate without downtime?

Yes, you can install a new certificate before the old one expires, then switch the IIS binding. Use Enable-ExchangeCertificate to assign services to the new certificate, then update IIS bindings with minimal disruption.

What services are affected by an expired SSL certificate?

All Exchange services using HTTPS are affected: OWA, ECP, EWS, Autodiscover, ActiveSync, MAPI over HTTP, and Outlook Anywhere. Outlook clients may disconnect and refuse to connect until the certificate is renewed.

How do I get a new SSL certificate for Exchange?

Generate a certificate request using New-ExchangeCertificate, submit to a Certificate Authority (internal CA or public like DigiCert, Comodo), import the response, and assign Exchange services using Enable-ExchangeCertificate.

How long does it take to fix an expired Exchange certificate?

If you have a replacement certificate ready, the fix takes 10-15 minutes. If you need to request a new certificate from a public CA, allow 1-24 hours for issuance plus 15 minutes for installation.

SSL Certificate Expired in Exchange

Medha Cloud Exchange Server Team

Exchange Database Recovery Team•Invalid Date•8 min read

An expired SSL certificate in Exchange Server causes browsers to display security warnings, Outlook to disconnect, and mobile devices to fail sync. This guide shows you how to identify expiration, renew or replace the certificate, and restore secure HTTPS connections.

Our Exchange Certificate Management team handles certificate renewals with zero-downtime procedures.

Error Overview: What Happens When SSL Expires

SSL/TLS certificates have a validity period (typically 1-2 years). When a certificate expires, browsers and clients reject the connection because they cannot verify the server's identity.

Typical User Experience

# Browser shows:
"Your connection is not private"
"NET::ERR_CERT_DATE_INVALID"
"This site's security certificate has expired"

# Outlook shows:
"The security certificate has expired or is not yet valid"
"There is a problem with the proxy server's security certificate"

# Mobile devices:
"Cannot Verify Server Identity"
"SSL Error - Certificate expired"

Symptoms & Business Impact

What Users Experience:

OWA displays browser security warnings
Outlook repeatedly prompts for credentials or shows certificate errors
ActiveSync devices fail to sync with certificate errors
Autodiscover fails, breaking new Outlook profile setup

What Admins See:

Get-ExchangeCertificate shows NotAfter date in the past
Event ID 12025 in Application log
IIS certificate binding shows expired certificate

Check Certificate Expiration

# Check all Exchange certificates
Get-ExchangeCertificate | Select-Object Subject, Thumbprint, NotAfter, Services,
    @{N='Status';E={if($_.NotAfter -lt (Get-Date)){'EXPIRED'}elseif($_.NotAfter -lt (Get-Date).AddDays(30)){'EXPIRING SOON'}else{'Valid'}}} |
    Format-Table -AutoSize

# Check specific certificate by thumbprint
Get-ExchangeCertificate -Thumbprint "ABC123..." | Format-List *

Common Causes

1. Missed Renewal Deadline (60%)

Certificate renewal was not tracked, and the expiration date passed without renewal. Most certificates expire 1-2 years after issuance.

2. Auto-Renewal Failure (25%)

Internal CA auto-enrollment failed, or the certificate request was not completed after generating a CSR.

3. Server Migration (15%)

Certificate was not migrated to new server, or the old certificate was imported but not renewed.

Quick Diagnosis

Step 1: Identify Expired Certificate

# List all certificates with expiration status
Get-ExchangeCertificate | ForEach-Object {
    $status = if ($_.NotAfter -lt (Get-Date)) { "EXPIRED" }
              elseif ($_.NotAfter -lt (Get-Date).AddDays(30)) { "EXPIRING SOON" }
              else { "Valid" }
    [PSCustomObject]@{
        Subject = $_.Subject
        Thumbprint = $_.Thumbprint.Substring(0,8) + "..."
        Expires = $_.NotAfter
        Services = $_.Services
        Status = $status
    }
} | Format-Table -AutoSize

Step 2: Check IIS Binding

# Check what certificate is bound to IIS
Import-Module WebAdministration
Get-WebBinding -Name "Default Web Site" -Protocol https |
    Select-Object bindingInformation, certificateHash | Format-Table

# Verify the bound certificate
$binding = Get-WebBinding -Name "Default Web Site" -Protocol https
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $binding.certificateHash }
$cert | Select-Object Subject, NotAfter, Thumbprint

Quick Fix (If You Have a New Certificate)

Import and Enable New Certificate

# Import new certificate (if you have a PFX file)
$pfxPath = "C:\Certs\NewExchangeCert.pfx"
$pfxPassword = Read-Host "Enter PFX password" -AsSecureString
Import-ExchangeCertificate -FileName $pfxPath -Password $pfxPassword -PrivateKeyExportable:$true

# Get the new certificate thumbprint
$newCert = Get-ExchangeCertificate | Where-Object { $_.NotAfter -gt (Get-Date) } |
    Sort-Object NotAfter -Descending | Select-Object -First 1
Write-Host "New certificate: $($newCert.Thumbprint)"

# Enable for Exchange services
Enable-ExchangeCertificate -Thumbprint $newCert.Thumbprint -Services IIS,SMTP,POP,IMAP

# Restart IIS
iisreset /noforce

Detailed Solutions

Solution 1: Request New Certificate (Public CA)

Generate Certificate Request

# Generate new certificate request
$request = New-ExchangeCertificate -GenerateRequest -SubjectName "cn=mail.domain.com" -DomainName mail.domain.com,autodiscover.domain.com,webmail.domain.com -PrivateKeyExportable $true -KeySize 2048

# Save request to file
$request | Out-File "C:\Certs\ExchangeCSR.txt"

# Submit this CSR to your Certificate Authority (DigiCert, Comodo, etc.)
Write-Host "Submit C:\Certs\ExchangeCSR.txt to your CA"

# After receiving the certificate, import it:
# Import-ExchangeCertificate -FileName "C:\Certs\CertFromCA.cer"-FileName "C:\Certs\CertFromCA.cer"

Solution 2: Use Internal CA (Enterprise)

Request from Internal CA

# Request certificate from internal Enterprise CA
$template = "WebServer"  # Your web server template name
$ca = "DC01.domain.local\Domain-CA"  # Your CA server

# Create certificate request and submit to CA
$cert = Get-Certificate -Template $template -CertStoreLocation Cert:\LocalMachine\My -DnsName mail.domain.com,autodiscover.domain.com -SubjectName "CN=mail.domain.com"

# If auto-enrollment works, certificate is issued immediately
# Enable for Exchange
Enable-ExchangeCertificate -Thumbprint $cert.Certificate.Thumbprint -Services IIS,SMTP

iisreset /noforce

Solution 3: Temporary Self-Signed (Emergency Only)

Create Self-Signed Certificate (Temporary)

# WARNING: Self-signed causes client warnings - use only in emergencies
$selfSigned = New-ExchangeCertificate -Services IIS,SMTP -DomainName mail.domain.com,autodiscover.domain.com -FriendlyName "Exchange Temporary Certificate" -PrivateKeyExportable $true

Write-Host "Self-signed certificate created: $($selfSigned.Thumbprint)"$selfSigned.Thumbprint)"
Write-Host "WARNING: Clients will see certificate warnings until you install a proper CA-signed certificate"

iisreset /noforce

Verify the Fix

Verify New Certificate

# Check certificate is assigned correctly
Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } |
    Select-Object Subject, Thumbprint, NotAfter, Services | Format-List

# Test HTTPS connectivity
$urls = @(
    "https://mail.domain.com/owa/healthcheck.htm",
    "https://mail.domain.com/autodiscover/autodiscover.xml"
)
foreach ($url in $urls) {
    try {
        $response = Invoke-WebRequest -Uri $url -UseBasicParsing -TimeoutSec 10
        Write-Host "[OK] $url" -ForegroundColor Green
    } catch {
        Write-Host "[FAIL] $url" -ForegroundColor Red
    }
}

# Verify certificate chain
$webRequest = [Net.HttpWebRequest]::Create("https://mail.domain.com")
$webRequest.GetResponse() | Out-Null
$cert = $webRequest.ServicePoint.Certificate
Write-Host "Certificate Subject: $($cert.Subject)"
Write-Host "Valid Until: $($cert.GetExpirationDateString())"

Prevention Tips

Certificate Management Best Practices

Set calendar reminders 90, 60, and 30 days before expiration
Use certificate monitoring tools or scripts
Document all certificate details in a runbook
Consider longer validity periods (2-3 years where allowed)
Keep backup copies of certificates with private keys

Certificate Monitoring Script

# Add to scheduled task for monitoring
$threshold = 30  # Days before expiration to alert
Get-ExchangeCertificate | Where-Object {
    $_.Services -match "IIS" -and $_.NotAfter -lt (Get-Date).AddDays($threshold)
} | ForEach-Object {
    $daysLeft = ($_.NotAfter - (Get-Date)).Days
    Write-Host "WARNING: Certificate $($_.Subject) expires in $daysLeft days!"$daysLeft days!" -ForegroundColor Yellow
    # Send-MailMessage alert here
}

When to Escalate

Contact Exchange specialists if:

Certificate import fails with errors
Private key is missing or corrupted
Complex SAN certificate requirements
Hybrid configuration certificate issues
Multiple Exchange servers need coordinated update

Need Expert Help?

Our Exchange Certificate Team handles certificate renewals with zero-downtime procedures. We can also help with complex wildcard and SAN certificate configurations.

Frequently Asked Questions

Check certificate expiration using Get-ExchangeCertificate in PowerShell. Look at the NotAfter property. Browsers will also show certificate warnings, and users may see "Your connection is not private" errors when accessing OWA.

Related Exchange Server Errors

Event ID 12025

Event ID 12025: Certificate Expired - Fix Guide 2025

SSL/TLS certificate expiration disrupting Exchange services. Renew certificate, update bindings, restore security.

Read Fix Guide

OAuth Certificate Expiration

OAuth Certificate Expiration in Exchange - Fix Guide 2025

OAuth certificate about to expire. Proactively renew, prevent authentication failures, maintain hybrid.

Read Fix Guide

Event ID 1003

Event ID 1003: OAuth Certificate Expired - Fix Guide 2025

OAuth certificate expiration preventing OWA authentication. Renew certificate, restore web access.

Read Fix Guide

View All Exchange Services

Still Stuck? We Can Help

Our Exchange Server experts have resolved thousands of issues just like yours.

Remote troubleshooting in 95 minutes average
No upfront commitment or diagnosis fees
Fix-it-right guarantee with documentation

Get Expert Help

95 min

Average Response Time

24/7/365 Availability

Medha Cloud Exchange Server Team

Microsoft Exchange Specialists

Our Exchange Server specialists have 15+ years of combined experience managing enterprise email environments. We provide 24/7 support, emergency troubleshooting, and ongoing administration for businesses worldwide.

15+ Years ExperienceMicrosoft Certified99.7% Success Rate24/7 Support

Contact Team Follow on LinkedIn