Built for Exchange Server
The pre-built Exchange deployment template ships in your CertKit account. No scripting required.
An on-premises Exchange server (2016, 2019, or Subscription Edition) assigns its SSL certificate to services by thumbprint. When the certificate renews, OWA, ECP, EWS, ActiveSync, Autodiscover, and SMTP keep using the old one until someone imports the new certificate and enables it for those services. Every 47 days. On every Exchange server you run. (Exchange Online manages its own certificates. This page is for the servers you operate.)
CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your Exchange servers automatically via the CertKit Agent and enables it for the IIS and SMTP services through the Exchange Management Shell.
The pre-built Exchange deployment template ships in your CertKit account. No scripting required.
The CertKit Agent imports the renewed PFX into the Windows Certificate Store and runs
Enable-ExchangeCertificate for the IIS and SMTP services. Webmail, Outlook
connectivity, mobile sync, and connector TLS start using the new certificate
immediately. No EAC wizard, no thumbprint copying, no missed enablement.
The pre-built Exchange template ships with your CertKit account. Enable it once on each server. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
New-ExchangeCertificate -GenerateRequest with every name Exchange
answers to, at minimum mail.yourdomain.com and
autodiscover.yourdomain.com. A SAN (UCC) certificate covers them in one.
A wildcard certificate works too.
Import-ExchangeCertificate on the server, or complete the pending
request in the Exchange Admin Center.
Enable-ExchangeCertificate -Services IIS,SMTP with the new
thumbprint and confirm the prompt to replace the default SMTP certificate.
This is the step renewals miss: importing alone leaves OWA and Outlook
on the old certificate.
Every one of these steps is manual, and Exchange won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, renewal stops being an annual chore and becomes a recurring task: eight times a year, on every server. Miss one and every Outlook client in the company throws a certificate warning at once.
At 47 days, automation is the only sustainable way to run Exchange certificates. Here's how CertKit does it.
Your Exchange server CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ │ │ │ │ ┌───────────────┐ │ Issue & Renew │◄──►│ │ │ │ CertKit Agent │◄──┤ Certificates │ │ │ │ └─────────┬─┬───┘ │ ┌───┐ └─────────────┘ │ │ │ │ └───────────┬────│DNS│ │ Cert store ◄─┘ │ │ │ └───┘ │ [x] Updated │ │ │ │ │ │ │ │ IIS + SMTP ◄───┘ │ ◄───────────────┘ │ [x] Enabled │ Verify └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your Exchange servers do not run ACME, no open ports, no DNS credentials. They just run the agent, which imports the certificate and enables it through the Exchange Management Shell locally.
CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.
Richard Hicks, Consultant and Microsoft MVP
Enabling the certificate for IIS and SMTP covers everything users touch. One missed enablement shows up in all of them at once.
This is the public SSL certificate, not the self-signed Microsoft Exchange Server Auth Certificate or the delegation federation certificate. Those are internal Exchange certificates with their own renewal procedures, and an expired auth certificate is its own outage. The certificate on this page is the one your users and mail partners see.
Enable-ExchangeCertificate through the Exchange
Management Shell, so OWA, ECP, EWS, ActiveSync, Autodiscover, Outlook Anywhere,
and connector TLS present the renewed certificate immediately. No confirmation
prompt, no missed service.
The Exchange Admin Center's renewal wizard produces a CSR and stops. Submitting it, importing the result, enabling the services, and copying the certificate to the other servers stay manual, and the enablement step is the one that gets skipped under time pressure.
Per-server ACME clients are a poor fit for a mail server. HTTP-01 validation means port 80 open to the internet on the machine that handles company mail. DNS-01 means DNS provider credentials stored on it. And when several Exchange servers share one SAN certificate, per-server ACME has no distribution mechanism at all. CertKit issues the certificate via delegated DNS validation handled centrally, then the agent on each server imports and enables it as one verified step, with no ACME client on the server.
Most Windows environments have more than one place where certificates live: IIS, SQL Server, Reporting Services, Network Policy Server, RRAS, and Always On VPN, plus Azure Key Vault for the hybrid side. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.