How to renew WMSVC-SHA2 certificate in Exchange Server

 https://www.alitajran.com/renew-wmsvc-certificate-exchange-server/ 

You want to renew the WMSVC-SHA2 certificate because it’s expiring. Another reason is that the WMSVC-SHA2 certificate is missing, and the Web Management Service service can’t be started. You get errors in IIS and event logs about this. In this article, you will learn how to renew the WMSVC-SHA2 certificate in Exchange Server.

Table of contents

• Exchange Server WMSVC certificate
• WMSVC-SHA2 certificate error
• How to renew WMSVC-SHA2 certificate
  • 1. Create new WMSVC-SHA2 certificate
  • 2. Copy new WMSVC-SHA2 certificate
  • 3. Verify new WMSVC-SHA2 certificate in Exchange Server
  • 4. Remove old certificate
  • 5. Assign WMSVC-SHA2 certificate to Web Management Service service
• Conclusion

Exchange Server WMSVC certificate

There are three default certificates created when Installing Exchange Server:

• Microsoft Exchange Server Auth Certificate
• Microsoft Exchange
• WMSVC or WMSVC-SHA2 (depends on the Exchange Server version)

Important: Do not delete the WMSVC (Web Management Service) certificate. The WMSVC is a self-signed certificate and is necessary for remote management of the web server.

WMSVC-SHA2 certificate error

Let’s look at what happens when the WMSVC-SHA2 certificate is missing or not attached to the Web Management Service service on the Exchange Server.

Start Windows Services Manager and select Web Management Service. Click on Start.

An error appears:

Windows could not start the Web Management Service on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -217483640.

Let’s start Internet Information Services (IIS) Manager. Click on the Exchange Server and double-click Management Service.

The SSL certificate is missing in Management Service, and there are two alerts:

• The Management Service (WMSCV) is stopped. The service must be started to remotely manage the Web server by using IIS Manager.
• Could no retrieve the Management Service (WMSVC) settings.

Start Event Viewer. Click on Windows Logs > Application. Filter on Event ID 1007.

The description for Event ID 1007 from source Microsoft-Windows-IIS-IISManager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE

Unable to read the certificate with thumbprint ‘9556b4f47d7c90dcc7e25163299335a825a874f0’. Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.

Process:WMSvc
User=NT AUTHORITY\LOCAL SERVICE

The message resource is present but the message was not found in the message table

Click System and filter on Event ID 7024.

The Web Management Service service terminated with the following service-specific error:
Unspecified error

We identified that the WMSVC-SHA2 certificate is missing in Exchange Server, and that the errors appear in Event Viewer.

How to renew WMSVC-SHA2 certificate

We will create a new WMSVC certificate and attach it correctly to the Web Management Service service so everything will work as expected. If you have a WMSVC certificate that is going to expire and you want to renew it, the same steps apply.

In our example, the WMSVC certificate was accidentally deleted because the engineer thought the certificate was not attached to any Exchange Server services and was doing nothing.

Note: You have to go through all the steps on every Exchange Server where the WMSVC-SHA2 certificate is missing or where you want to renew it.

1. Create new WMSVC-SHA2 certificate

Create a new WMSVC-SHA2 certificate in Exchange Server.

Run Exchange Management Shell as administrator. Run the New-ExchangeCertificate cmdlet and fill in the details:

• SubjectName: The subject field of the certificate request. This needs to be set as CN=WMSvc-SHA2-ExchangeServerHostName
• FriendlyName: The friendly name of the certificate. This needs to be set as WMSCVC-SHA2.
• Services: The services that you want to enable the self-signed certificate for. This needs to be set as None.
• KeySize: The size (in bits) of the RSA public key. This needs to be set as 2048.
• PrivateKeyExportable: Allows you to export/import the certificate to other Exchange Servers. This needs to be set as $true.

The only change you need to make in the below command is changing EX01-2019 to your Exchange Server hostname.

New-ExchangeCertificate -SubjectName "CN=WMSvc-SHA2-EX01-2019" -FriendlyName "WMSCVC-SHA2" -Services None -KeySize 2048 -PrivateKeyExportable $true

2. Copy new WMSVC-SHA2 certificate

Copy the new WMSVC-SHA2 certificate from the Personal store to the Trusted Root Certification Authorities store.

Start Microsoft Management Console (MMC) and add the Certificates snap-in.

Select Computer account and click Next.

Click on OK.

Expand the folders Personal > Certificates. Right-click the new certificate and click on Copy.

Expand the folders Trusted Root Certification Authorities > Certificates. Right-click on the folder Certificates and click Paste.

Verify that the new WMSVC-SHA2 self-signed certificate appears in the list.

3. Verify new WMSVC-SHA2 certificate in Exchange Server

Sign in to Exchange Admin Center. Click servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization.

Verify that the new WMSVC-SHA2 certificate appears in the list and ensure no services are assigned.

4. Remove old certificate

Select the old certificate, if available, and click the delete icon in the toolbar.

You will have only one WMSVC-SHA2 certificate in the certificates list.

Go back to MMC and expand the folders Personal > Certificates. Verify that you only see one WMSVC-SHA2 Exchange certificate.

Expand the folders Trusted Root Certification Authorities > Certificates. Right-click the old WMSVC-SHA2 certificate, if available, and click Delete.

Only the new WMSVC-SHA2 certificate needs to appear in the list.

5. Assign WMSVC-SHA2 certificate to Web Management Service service

Start Internet Information Services (IIS) Manager. Click on Exchange Server > Management Service.

Select the WMSVC-SHA2 that you created in the previous step. Click Apply.

Click Start.

Go to Windows Services Manager and verify that the Web Management Service service is started.

That’s it!

Read more: Renew Microsoft Exchange certificate »

Conclusion

You learned how to renew the WMSVC-SHA2 certificate in Exchange Server. First, create a new WMSVC-SHA2 certificate. After that, remove the old WMSVC-SHA2 certificate if it’s available. Next, attach it to the IIS Management Service. As of last, start the Web Management Service service.

Did you enjoy this article? You may also like Renew Microsoft Exchange Server Auth Certificate. Don’t forget to follow us and share this article.