← Integrations

Automated SSL certificate renewal for on-premises Exchange Server

Exchange won't enable a renewed certificate on its own. CertKit will.

An on-premises Exchange server (2016, 2019, or Subscription Edition) assigns its SSL certificate to services by thumbprint. When the certificate renews, OWA, ECP, EWS, ActiveSync, Autodiscover, and SMTP keep using the old one until someone imports the new certificate and enables it for those services. Every 47 days. On every Exchange server you run. (Exchange Online manages its own certificates. This page is for the servers you operate.)

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your Exchange servers automatically via the CertKit Agent and enables it for the IIS and SMTP services through the Exchange Management Shell.

Start free trial Watch demo

Built for Exchange Server

The pre-built Exchange deployment template ships in your CertKit account. No scripting required.

The CertKit Agent imports the renewed PFX into the Windows Certificate Store and runs Enable-ExchangeCertificate for the IIS and SMTP services. Webmail, Outlook connectivity, mobile sync, and connector TLS start using the new certificate immediately. No EAC wizard, no thumbprint copying, no missed enablement.

The pre-built Exchange template ships with your CertKit account. Enable it once on each server. CertKit handles every renewal after that.

How to renew the SSL certificate on Exchange Server

The manual process, if you want to do it yourself:

  1. Create the certificate request. Run New-ExchangeCertificate -GenerateRequest with every name Exchange answers to, at minimum mail.yourdomain.com and autodiscover.yourdomain.com. A SAN (UCC) certificate covers them in one. A wildcard certificate works too.
  2. Submit the CSR to a certificate authority. Purchase a certificate or use a free ACME CA, then wait for the signed certificate file to come back.
  3. Import the signed certificate. Run Import-ExchangeCertificate on the server, or complete the pending request in the Exchange Admin Center.
  4. Enable it for services. Run Enable-ExchangeCertificate -Services IIS,SMTP with the new thumbprint and confirm the prompt to replace the default SMTP certificate. This is the step renewals miss: importing alone leaves OWA and Outlook on the old certificate.
  5. Repeat on every server. Export the PFX, import and enable it on each Exchange server, then remove the old certificate everywhere.

Every one of these steps is manual, and Exchange won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, renewal stops being an annual chore and becomes a recurring task: eight times a year, on every server. Miss one and every Outlook client in the company throws a certificate warning at once.

At 47 days, automation is the only sustainable way to run Exchange certificates. Here's how CertKit does it.

How it works

 Your Exchange server      CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│                   │     │                  │    │             │
│     ┌───────────────┐   │  Issue & Renew   │◄──►│             │
│     │ CertKit Agent │◄──┤   Certificates   │    │             │
│     └─────────┬─┬───┘   │                ┌───┐  └─────────────┘
│               │ │ │     └───────────┬────│DNS│
│ Cert store  ◄─┘ │ │                 │    └───┘
│ [x] Updated     │ │                 │
│                 │ │                 │
│ IIS + SMTP  ◄───┘ │ ◄───────────────┘
│ [x] Enabled       │       Verify
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your Exchange servers do not run ACME, no open ports, no DNS credentials. They just run the agent, which imports the certificate and enables it through the Exchange Management Shell locally.

CertKit is an invaluable tool for administrators managing public TLS certificates in Microsoft environments like Always On VPN (SSTP) and DirectAccess (IP-HTTPS), as it simplifies and fully automates Let's Encrypt certificate issuance and renewal. CertKit eliminates the security risks and complexities of manual DNS challenges or API key exposure.

Richard Hicks, Consultant and Microsoft MVP

Every Exchange service rides on this certificate

Enabling the certificate for IIS and SMTP covers everything users touch. One missed enablement shows up in all of them at once.

Webmail and admin OWA, ECP Outlook connectivity EWS, MAPI, Outlook Anywhere, Autodiscover Mobile devices Exchange ActiveSync Mail flow SMTP connector TLS

This is the public SSL certificate, not the self-signed Microsoft Exchange Server Auth Certificate or the delegation federation certificate. Those are internal Exchange certificates with their own renewal procedures, and an expired auth certificate is its own outage. The certificate on this page is the one your users and mail partners see.

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Install the CertKit Agent on each Exchange server. One command on each server running the mailbox role. The agent runs as a Windows service and needs no inbound firewall rules.
  3. Add the Exchange deployment script. The pre-built template is in your account. Save it and CertKit imports the certificate and enables it for IIS and SMTP on every renewal.

See the full architecture →

Why not the EAC wizard or per-server ACME?

The Exchange Admin Center's renewal wizard produces a CSR and stops. Submitting it, importing the result, enabling the services, and copying the certificate to the other servers stay manual, and the enablement step is the one that gets skipped under time pressure.

Per-server ACME clients are a poor fit for a mail server. HTTP-01 validation means port 80 open to the internet on the machine that handles company mail. DNS-01 means DNS provider credentials stored on it. And when several Exchange servers share one SAN certificate, per-server ACME has no distribution mechanism at all. CertKit issues the certificate via delegated DNS validation handled centrally, then the agent on each server imports and enables it as one verified step, with no ACME client on the server.

Exchange is just one part of your Windows stack

Most Windows environments have more than one place where certificates live: IIS, SQL Server, Reporting Services, Network Policy Server, RRAS, and Always On VPN, plus Azure Key Vault for the hybrid side. CertKit automates all of it from one account.

See all integrations

Start automating Exchange certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing