KJR - Replace Exchange Cert

Generate a new Certificate request using these two commands within the Exchange Managemnet Shell on the Exchange Server  (modify friendly name and file name accordingly).

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Exchange2025-2026" -SubjectName "C=GB,CN=remote.kjrefrigeration.co.uk" -DomainName remote.kjrefrigeration.co.uk,autodiscover.kjrefrigeration.co.uk,www.remote.kjrefrigeration.co.uk,mail.kjrefrigeration.co.uk

[System.IO.File]::WriteAllBytes('\\KJRExchange\C$\Temp\Cert2025-2026.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

Open the generated CSR file in notepad and copy contents of Certificate request including begin and end lines.

The Certificate Request will be visible within Certlm.msc

and also within the Exchange Control Panel web GUI with a status of Pending Request

In the Certificate issuer's portal (e.g. GoDaddy) choose the Rekey option on the newly generated certificate, pasting in the CSR text from the CSR file. Occasionally a certificate rekey will require domain validation via DNS record, but most times it completes within a minute or two if you refresh the page

Download the newly generated Certificate from the issuer and copy to the Exchange Server.

Run the following command to import the Cert into the local cert store and register with Exchange (modify path to the new CRT file).

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\kjrexchange\c$\temp\remote.kjrefrigeration.co.uk_2025\6335408e996174ad.crt'))

The new cert will now show up in the Personal Store of certlm.msc

And also in the Exchange Control Panel as Valid

The final step is to assign the services to the new cert to match the current one by clicking the Edit Pencil and choosing the Services page.  Theses are normally IMAP, POP, IIS and SMTP.

Test by browsing to the OWA page mail.kjrefrigeration.co.uk and checking the Certificate expiry date