How to renew the Exchange Edge Server SMTP certificate

Although it's not a mandatory role, the Exchange Edge server is one of the best SMTP relays and security servers available. It can be the entrance point of your organization, while also filtering and securing the messages that flow inside.

The Exchange Edge server needs a certificate assigned to the SMTP service that can be used to achieve secure connections with outside servers or for authentication with the inside HUB transport server, if there's an Edge subscription in place.

If you're using the self-signed certificate and it's approaching the expiration date, now it's probably the time to renew it. In order to do that, follow these steps:

1. Open the Exchange Management Shell and run the following cmdlet: Get-ExchangeCertificates.
2. Copy the thumbprint and then run this command: Get-ExchangeCertificate -Thumbprint  | New-ExchangeCertificate.
3. Run Get-ExchangeCertificates again and copy the new thumbprint.
4. Enable the certificate for SMTP: Enable-ExchangeCertificate -Services:"SMTP".

We now need to rebuild the Edge subscription:

1. On the Edge server run: New-EdgeSubscription –FileName "C:\EdgeSubscription.xml".
2. Copy the EdgeSubscription.xml file to the internal Hub Transport server.
3. On the Hub Transport server remove the existing subscription, by using the Exchange Management Console (Organization > Hub Transport) or by runing the cmdlets Get-EdgeSubscription and then Remove-EdgeSubscription.
4. Create the new Edge subscription by using the EMC or by using PowerShell: New-EdgeSubscription -FileName "C:\EdgeSubscription.xml".

Read Next