The default self signed certificate in Exchange 2013 mailbox role – what should I do with it?
In Exchange 2013, both the Mailbox and CAS roles come with a default SAN certificate configured during the install. The self signed certificate on the CAS server should be replaced by a third party or an internal PKI certificate as part of the configuration.
The config of the self signed cert on the mailbox role is the same as the one on the CAS.
- It is a SAN cert.
- It is self signed.
- It has the server netbios and fqdn as the SAN entries.
- It is valid for 5 years.
Now comes the questions.
Should I replace it with a third party or internal PKI cert? The answer is NO.
Should I delete it, as all clients connect through CAS? The answer is NO again.
What should I do then? The answer is simple – leave it alone ;)
That is right. You shouldn’t replace or delete the self signed cert on the mailbox role. Just leave it untouched. Now the real question, why do I need it?
This cert is used to encrypt the communication between the CAS and the Mailbox server. Since the certificate is created and signed by Exchange, all Exchange servers in your organization including the CAS will trust it automatically. This is the reason why clients won’t receive a pop up saying the certificate is not trusted, even though the mailbox role is responsible for everything to do with the user’s mailbox. Hence, you don’t need a third party or internal PKI certificate. You shouldn’t delete it, as it will break your secure client communication through the CAS. No additional configuration is required on this certificate either.
For God’s sake, leave it alone ;)