Via the configuration of Certificates on Exchange Servers I have already written about this several times, but I have mostly dealt with the front end certificates. However, Exchange servers also have a back end which is configured with a self-signed certificate. The back end certificate does not need to be replaced by a publicly valid certificate or by a certificate from your own PKI. The self-signed certificate is completely sufficient for the back end. However, it is important that the back end certificate with the display name "Microsoft Exchange" is valid and available, otherwise web services such as OWA and ECP will not start:
The "Microsoft Exchange" certificate is bound to the "Exchange Back End" website in the IIS Manager:
Exchange servers indicate expiring certificates in the event display; a message about an expiring certificate looks like this, for example:
Here is the text of the message:
Log Name: Application
Event ID: 12018
Source: MSExchangeTransport
The STARTTLS certificate will expire soon: subject: FQDN, thumbprint: THUMBPRINT, expires: 08.03.2023 11:49:08. Run the New-ExchangeCertificate cmdlet to create a new certificate.
The "Microsoft Exchange" certificate is valid for 5 years and should be renewed in good time. If the certificate has been accidentally deleted or is no longer available for any other reason, please continue reading here:
If the certificate is due for renewal, a new certificate can be issued quite quickly with a small script and configured for the Exchange back end, I have published the script on GitHub:
The script only needs to be copied to the respective Exchange server and executed. The script issues a new self-signed certificate based on the "Microsoft Exchange" certificate, copies it to the Trusted Root Certification Authorities store and finally assigns it to the "Exchange Back End" web page in the IIS.
After the script has been executed, it is already being used by Exchange. It is a good idea to restart the IIS using "iisreset". If there are no problems, the old certificate can be deleted. The script does not automatically delete the old certificate. If there are problems with renewing the certificate, please send the error messages via the contact form or directly to GitHub.