Home » Exchange Server 2010 » Client Connectivity » Certificate Renew using DigiUtil tool


Certificate Renew using DigiUtil tool

Renewing the Certificate

We have multiple ways for renewing certificate. Today we will renew using Digiutil tool.
DigiCertUtil.exe makes it easy to (from Digicert site):

1: See all the SSL certificates installed on your server.
2: Easily view details for each certificate.
3: Can fix intermediate certificate problems with one click.
4: Create CSR, Export and Import your certificates to make a backup or moving them between servers.
5: Test a certificate to verify its private key is functional.
6: Repair a certificate whose private key exists on the server but is not correctly associated with the certificate.
Download and Install the DigiCertUtil Tool as shown below:

Double click


Click Run


This will popup New window “EULA Agreement” -> Click I Accept


This will show you the certificate details as shown below:



Here we need to Export the current certificate and then we will Import the certificate.
First we need to generate the CSR, for generating CSR

Highlight the Certificate and click Create CSR

Click Yes


Select SSL


Fill the details per your requirement



Click Generate post creation you will see pop message as Certificate Request has been successfully created.

Select “Save to file”



After saving the file.




Update the same to the client for purchasing New Certificate, or
If you are the client then proceed with purchasing New Certificate.
After you get the New Certificate, before Importing first make sure you Export the old Certificate.

Exporting the Old Certificate

Select the old certificate that is getting expired and click the below tab “Export Certificate”


Select the first option as “Yes” as shown below and click Next


This will prompt for Password provide and confirm the same and Click Next.



Save the old certificate any different location.

Click Brose and save it.



Browse and save the file with .pfx extension


Click Finish

Click OK



Now highlight the old certificate and click Import

Here you need to Browse the New Certificate



Select the first one with .crt extension and click open


After browsing the New Certificate, click Next



You can give Friendly Name

Click Finish



Once you click Finish you will get the pop up message as successfully imported.
Click OK



Here we can see New and Old Certificate.

Now it’s time to check if everything looks good, for confirming Double click on the New Certificate.



Go to Details Tab go to Subject Alternative Name, here the Value should be pointed to DNS Name=”Your Certificate Friendly Name”

Click OK


Now time to Test Key

Click Test Key this should give as successful without any errors

Click close.


After testing now we need to enable the service using the command

Enable-ExchangeCertificate -Thumbprint “34123n41nr12rweqrn213jk4nr” -Services IIS, IMAP, POP, SMTP

For this command to run open Exchange Management Shell -> Run as Administrator

Get the Thumbprint of the New Certificate as shown below and run the command

Type N

The command -DoNotRequreSSL switch should be used like
Enable-ExchangeCertificate -Thumbprint “34123n41nr12rweqrn213jk4nr” -Services IIS, IMAP, POP, SMTP -DoNotRequireSSL

Enter and Type N


Now check OWA functionality

Open OWA and click on Lock symbol and this should show the Valid details



After confirming you can proceed with Deleting the Old Certificate.

Go back to DigiCertUtil, select the Old Certificate -> Right click and click Delete Certificate



Click Yes


This will should give the Popup message as it’s been successfully deleted.
Click OK


Great if you see we can see only the New Certificate in the DigiCertUtil Tool.


Happy Learning…..


Praveen Kumar

MCTS, MCITP | Exchange Server

Publisher @ Techrid.com

Leave a comment