I got an email recently saying my Exchange SSL Certificate had been auto-renewed. That’s fine, it’s one of the services that GoDaddy do well. I use them for all my SSL certificate needs, but this is the first time I’ve had an auto-renewal.
However, installing it wasn’t quite as easy as “auto-renewal” implies.
When I logged on to the portal to see what the next steps were, the certificate was sat ready for me to download. This was confusing – I’m sure I’ve had to issue a request first in the past!
I couldn’t see an obvious way of importing the certificate to a server that already had a functioning certificate, so I did a bit of googling to see what was what. I found this support community page which is marked as Solved and appeared to be the same question that I had:
I have an expiring SSL certificate this month for Exchange 2010. The SSL certificate got automatically renewed, and therefore there is no CSR. How do import this certificate as I have not created a CSR?
Unfortunately, the “solution” was not that. It simply said to download and install the certificate, which didn’t seem possible in my circumstances. It was marked as solved even though the question asker replied to the answer saying very clearly their answer was useless!
It turns out that the Auto-generated certificate is not much use outside of very simple website applications, where a certificate can be blindly imported and bound.
The answer is that you still have to actually raise a CSR on your server.
In our case (Exchange 2010), that means the following steps:
- In the Exchange Management Console, go to Server Configuration
- Right-click on the existing certificate and choose “Renew Exchange Certificate”
- Save the CSR file to somewhere accessible from your workstation
- Open the file in Notepad, select all, and copy
- Go to https://certs.godaddy.com/cert and log in
- Click on the certificate name
- Choose “Re-Key & Manage”
- Click on the + symbol next to “Re-Key certificate”
- Paste the CSR into the box and click Save
- Click “Submit All Saved Changes”
Now GoDaddy will process your certificate. No problem though, thanks to the auto-renewed but useless certificate they made before, all the authorisations are already done. In my case, within a minute or so I had my email confirming my certificate was ready for download.
I downloaded the certificate, unzip it, and transferred the files back to the Exchange server. I will ignore the Intermediate certificate here – they only change rarely, and the current one for the last few years won’t expire until 2031. The following steps are needed:
- In Exchange Management Console, go to Server Configuration again
- Right-click the certificate request from the list of certificates and click “Complete Pending Request”
- Browse and select the certificate – change file type to “All Files(*.*)” as the certificate has a .crt extension
- Click “Complete”
- Right-click on the same certificate again, and choose “Assign Services to Certificate”
- Choose the appropriate server then services – in most cases this is all of them except UC – see what is bound to the old expiring certificate
- Click “Assign” then “Finish”
You may then need to refresh the view, but there should be a green tick next to your new certificate, a yellow triangle on the expiring one, and maybe a red cross if you still have an expired one there. You can delete the old ones but there’s no real need.
A final step I would highly recommend is to put a reminder in your calendar to give you decent warning of the expiry date of your new certificate. As well as not panic-rushing a new certificate in place, it allows you to cancel the auto-renew (and associated invoice) before it happens if it’s not needed.