The default self signed certificate in Exchange 2013 mailbox role – what should I do with it?
In Exchange 2013, both the Mailbox and CAS roles come with a default SAN certificate configured during the install. The self signed certificate on the CAS server should be replaced by a third party or an internal PKI certificate as part of the configuration.
The config of the self signed cert on the mailbox role is the same as the one on the CAS.
- It is a SAN cert.
- It is self signed.
- It has the server netbios and fqdn as the SAN entries.
- It is valid for 5 years.
Now comes the questions.
Should I replace it with a third party or internal PKI cert? The answer is NO.
Should I delete it, as all clients connect through CAS? The answer is NO again.
What should I do then? The answer is simple – leave it alone ;)
That is right. You shouldn’t replace or delete the self signed cert on the mailbox role. Just leave it untouched. Now the real question, why do I need it?
This cert is used to encrypt the communication between the CAS and the Mailbox server. Since the certificate is created and signed by Exchange, all Exchange servers in your organization including the CAS will trust it automatically. This is the reason why clients won’t receive a pop up saying the certificate is not trusted, even though the mailbox role is responsible for everything to do with the user’s mailbox. Hence, you don’t need a third party or internal PKI certificate. You shouldn’t delete it, as it will break your secure client communication through the CAS. No additional configuration is required on this certificate either.
For God’s sake, leave it alone ;)
We are using Exchange 2010, some servers with dedicated CAS roles and others with Mailbox and CAS, To confirm if we only had mailbox roles for some servers then these mailbox servers will also need the 3rd Party SAN certificate?
I deleted the default self signed certificate on my CAS and configured internal CA. question, Do I need to use the certificate from CAS to Mailbox?
Thanks!
Hi Mankz,
You don’t have to do anything on the Mailbox server. The default certs are fine.
Is it same for Exchange 2010 ?
No Tshark, the cert goes on the CAS role in 2010. And on hub role if you use domain security etc.
Where is the client traffic get decrypted? Got confused when I read this sentence from one article: The job of decrypting the RPC from HTTP now is rested within the mailbox server responsible for the user’s database.
Pasted from
Does this mean the client traffic get decrypted at CAS and then encrypted with an Exchange self-signed certificate and then at mailbox side, it’s decrypted again?
So, what will happen 5 years later when the sign-signed cert. expired? Do we need to renew it? Thanks.
Hi Kevin,
Yes, you need to. And the option is there to renew as well. But in 5 years time, you may move to a more later Exchange version ;)
Hi ,
My self signed cerificates on Exchange 2013 mailbox servers on DAG is going expire in 3 months ? How do i renew it ?
Hi Sharaf,
You can renew the self signed certificate and enable it for all services from PowerShell. Check https://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
For the CAS servers, would you recommend a single 3rd party cert that uses a generic name sa the primary name, i.e. mail.example.com, and put the host names in the SAN field, i.e. CAS01, CAS02, etc, and then install that cert on all CAS servers? Or would it be better to order a cert for each CAS server that uses its hostname as the primary name, then put the generic names (mail.example.com, autodiscover.example.com) in the SAN field?
A single cert for all CAS is fine. Dont do a per CAS cert, that is madness and it will break the authentication as well.
And dont use server names in the cert, it is not required as long as all urls are re-pointed to a load balanced one.