SMTP certificate renewal and EDGE subscription

I have had to renew SMTP certificate on EDGE servers. Here is the procedure how to renew certificate and re-create Edge subscription. This procedure starts,when CSR is created and we have received certificate from trusted CA.

1. Import new certificate
To import certificate to local certification store run:

import-exchangecertificate -FileData ([byte[]]$(Get-Content -Path "D:\tempo\certificate_mx1_2013.cer" -Encoding Byte -ReadCount 0))

2. Connect pending request to certificate
If step 1 failed to connect certificates together inside certification store run:

certutil -repairstore my "1268f7300044bc90ff426d5f515d3729"

Explanation can be found in my previous article:

3. Enable new Exchange certificate for SMTP service
Before certificate can be used, it must have been enabled for particular services.

Enable-ExchangeCertificate  -services SMTP


[PS] C:\Windows\system32>Enable-ExchangeCertificate 81315B240A62B5B5AD5570AA58A06D90B4B90B7E -Services SMTP

Overwrite the existing default SMTP certificate?

Current certificate: 'C661DC9E16FB391EDA2A852C3514AD035D710F68' (expires 4/27/2013 2:59:59 AM)
Replace it with certificate: '81315B240A62B5B5AD5570AA58A06D90B4B90B7E' (expires 4/28/2014 2:59:59 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.
[PS] C:\Windows\system32> 

4. Restart transport service and AD LDS service
At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server
We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

New-EdgeSubscription -FileName d:\subscription_2013.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false


[PS] C:\Windows\system32>New-EdgeSubscription -FileName d:\subscription_2013.xml -Site Default-First-Site-Name -CreateIternetSendConnector $false -CreateInboundSendConnector $false

The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

6. Subscribe EDGE server on HUB by subscription file (XML).
We need to re-create trusted connection between Edge server and HUB servers. Subscribtion needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subsciption.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "D:\subscription_2013.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

7. Restart EDGE server
Just to be sure all settings are applied before tests.

8. Test Edge Subscription
If the test is not successfulm you receive error.

Test-EdgeSynchronization -FullCompareMode

Successful result:

[PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode

RunspaceId                  : 4f4c61e7-1059-43fc-963b-877641087e2a
SyncStatus                  : Normal
UtcNow                      : 4/26/2013 6:43:50 AM
Name                        : EDGE
LeaseHolder                 : CN=HUB2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=OR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=SALONOVI,DC=cz
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 4/26/2013 7:12:12 AM
LastSynchronizedUtc         : 4/26/2013 6:42:12 AM
TransportServerStatus       : Synchronized
TransportConfigStatus       : Synchronized
AcceptedDomainStatus        : Synchronized
RemoteDomainStatus          : NotSynchronized
SendConnectorStatus         : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 6
CookieRecords               : Number of cookies 2

9. Test mailflow

10. To start Edge synchronization manually



[PS] C:\Windows\system32>Start-EdgeSynchronization

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Configuration
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Recipients
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0


Problems with certificate renewal Exchange 2010 / Exchange 2013 coexistence, Failed to enable constraints


I have a LAB, with Exchange 2010 / Exchange 2013 in coexitence:

  • 1 Exchange 2010 CHM
  • 2 DAG servers with FrontEnd and Backend roles and HAProxy load balancer

I have selected renew Exchange Certificate from EMC and got certificate request. Requested certificatee renewal on Startcom Certification authority -> Completed pending request


When I was trying to renew certificate for SMTP / TLS, I started to get error message on the Picture.


It was not possible to do anything with certificates in EMC, because list was empty.


  • Run EMS
  • List certificates
Get-ExchangeCertificate | Select Status,Thumbprint,Notafter,Services | ft -Autosize
  • In the list you will see pending requests

List of certificates

  • Complete pending request
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path Z:Z_DOKUMENTYSALONOVI.CZSMTP_certifikat_renewal_2013_2.cer -Encoding byte -ReadCount 0))
completed pending request
  • Check certificate if it is valid
Get-ExchangeCertificate <Thumbprint> |fl ; Thumprint from previous command
  • Assign services to certificate (Requires confirmation to overwrite existing SMTP certificate)
Get-ExchangeCertificate <Thumbprint> | Enable-ExchangeCertificate -Services SMTP
Assigning Services
  • Once CSR is completed an all certificates are in place, it is possible to access  certificates in EMC again.