{"id":9517,"date":"2026-01-31T15:30:35","date_gmt":"2026-01-31T14:30:35","guid":{"rendered":"https:\/\/exchangeforitpros.blog\/shortening-the-tls-certificate-lifespan\/"},"modified":"2026-01-31T15:39:22","modified_gmt":"2026-01-31T14:39:22","slug":"shortening-the-tls-certificate-lifespan","status":"publish","type":"post","link":"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/","title":{"rendered":"Shortening the TLS certificate lifespan"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Inhalt<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#What_was_officially_decided\" >What was officially decided?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#More_than_just_changing_the_IIS_binding\" >More than just changing the IIS binding<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#The_dilemma_no_integrated_official_solution_in_Exchange\" >The dilemma: no integrated, official solution in Exchange<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#Validation_of_domain_sovereignty\" >Validation of domain sovereignty<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#What_does_this_mean_for_you_as_an_Exchange_Admin\" >What does this mean for you as an Exchange Admin?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#Rethinking_architecture\" >Rethinking architecture<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#Establish_processes_for_frequent_changes\" >Establish processes for frequent changes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#Establish_processes_for_frequent_changes-2\" >Establish processes for frequent changes<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#Stumbling_blocks\" >Stumbling blocks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#What_the_term_reduction_means_in_practice\" >What the term reduction means in practice<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/exchangeforitpros.blog\/en\/shortening-the-tls-certificate-lifespan\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<div id=\"bsf_rt_marker\"><\/div>\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"9517\" class=\"elementor elementor-9517 elementor-9326\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-950a80e e-flex e-con-boxed e-con e-parent\" data-id=\"950a80e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-58139ec8 e-flex e-con-boxed e-con e-parent\" data-id=\"58139ec8\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-5e966152 e-con-full e-flex e-con e-child\" data-id=\"5e966152\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-12e9dfce elementor-widget elementor-widget-text-editor\" data-id=\"12e9dfce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>Starting March 15, 2029, public TLS certificates will be limited to a maximum validity of 47 days. This change was agreed upon by the CA\/Browser Forum through Ballot SC-081v3, with Apple proposing it and all major browser makers giving their support.  <\/p><p>For Exchange Server, managing certificates manually can sometimes cause mistakes, so having real automation is really helpful. This is especially true in isolated network segments, where setting things up can be even more challenging. <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e3a6146 e-con-full e-flex e-con e-child\" data-id=\"e3a6146\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-20177428 e-con-full e-flex e-con e-child\" data-id=\"20177428\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2295ad63 elementor-widget elementor-widget-heading\" data-id=\"2295ad63\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\">Links<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3d98fb elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"3d98fb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon-list.default\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items\">\n\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cabforum.org\/2025\/04\/11\/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods\/\" target=\"_blank\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-external-link-alt\" viewBox=\"0 0 512 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M432,320H400a16,16,0,0,0-16,16V448H64V128H208a16,16,0,0,0,16-16V80a16,16,0,0,0-16-16H48A48,48,0,0,0,0,112V464a48,48,0,0,0,48,48H400a48,48,0,0,0,48-48V336A16,16,0,0,0,432,320ZM488,0h-128c-21.37,0-32.05,25.91-17,41l35.73,35.73L135,320.37a24,24,0,0,0,0,34L157.67,377a24,24,0,0,0,34,0L435.28,133.32,471,169c15,15,41,4.5,41-17V24A24,24,0,0,0,488,0Z\"><\/path><\/svg>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Ballot SC-081v3<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Informationen-und-Empfehlungen\/Quantentechnologien-und-Post-Quanten-Kryptografie\/Post-Quanten-Kryptografie\/post-quanten-kryptografie_node.html\" target=\"_blank\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-external-link-alt\" viewBox=\"0 0 512 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M432,320H400a16,16,0,0,0-16,16V448H64V128H208a16,16,0,0,0,16-16V80a16,16,0,0,0-16-16H48A48,48,0,0,0,0,112V464a48,48,0,0,0,48,48H400a48,48,0,0,0,48-48V336A16,16,0,0,0,432,320ZM488,0h-128c-21.37,0-32.05,25.91-17,41l35.73,35.73L135,320.37a24,24,0,0,0,0,34L157.67,377a24,24,0,0,0,34,0L435.28,133.32,471,169c15,15,41,4.5,41-17V24A24,24,0,0,0,488,0Z\"><\/path><\/svg>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Post-quantum cryptography<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/www.msxfaq.de\/exchange\/e2013\/exchange_edge_zertifikattausch.htm\" target=\"_blank\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-external-link-alt\" viewBox=\"0 0 512 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M432,320H400a16,16,0,0,0-16,16V448H64V128H208a16,16,0,0,0,16-16V80a16,16,0,0,0-16-16H48A48,48,0,0,0,0,112V464a48,48,0,0,0,48,48H400a48,48,0,0,0,48-48V336A16,16,0,0,0,432,320ZM488,0h-128c-21.37,0-32.05,25.91-17,41l35.73,35.73L135,320.37a24,24,0,0,0,0,34L157.67,377a24,24,0,0,0,34,0L435.28,133.32,471,169c15,15,41,4.5,41-17V24A24,24,0,0,0,488,0Z\"><\/path><\/svg>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Exchange Edge certificate exchange<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/\" target=\"_blank\">\n\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t<svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-external-link-alt\" viewBox=\"0 0 512 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M432,320H400a16,16,0,0,0-16,16V448H64V128H208a16,16,0,0,0,16-16V80a16,16,0,0,0-16-16H48A48,48,0,0,0,0,112V464a48,48,0,0,0,48,48H400a48,48,0,0,0,48-48V336A16,16,0,0,0,432,320ZM488,0h-128c-21.37,0-32.05,25.91-17,41l35.73,35.73L135,320.37a24,24,0,0,0,0,34L157.67,377a24,24,0,0,0,34,0L435.28,133.32,471,169c15,15,41,4.5,41-17V24A24,24,0,0,0,488,0Z\"><\/path><\/svg>\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">ACME Challenge Types<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-6e87669a e-flex e-con-boxed e-con e-parent\" data-id=\"6e87669a\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-81bc2a8 elementor-widget elementor-widget-heading\" data-id=\"81bc2a8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"What_was_officially_decided\"><\/span>What was officially decided?<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-31cd6a0 e-con-full e-flex e-con e-child\" data-id=\"31cd6a0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6541148 elementor-widget elementor-widget-text-editor\" data-id=\"6541148\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>With the CA\/B forum vote SC-081v3, a clear schedule is now defined that shortens the maximum validity period of public TLS certificates, including the validity of their validation data (DCV, SII). This increases security and reliability. <\/p><p>The key data:<\/p><ul><li>From March 15, 2026: max. 200 days<br>Domain Control Validation (DCV) reusable for up to 200 days <\/li><li>From March 15, 2027: max. 100 days<br>DCV up to 100 days <\/li><li>Until March 15, 2029: max. 47 days<br>DCV reuse only 10 days <\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aefaf46 elementor-widget elementor-widget-heading\" data-id=\"aefaf46\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"More_than_just_changing_the_IIS_binding\"><\/span>More than just changing the IIS binding<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-13465d5 elementor-widget elementor-widget-text-editor\" data-id=\"13465d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>With classic web servers, the certificate change usually only takes place in the HTTPS binding. In an Exchange organization, however, the whole thing is far more versatile and complex. <\/p><ul><li><strong>HTTPS endpoints<\/strong><br>OWA, EWS, MAPI\/HTTP, AutoDiscover, etc. All are dependent on the certificate you assign in EAC\/EMS<\/li><li><strong>SMTP\/TLS<\/strong><br>A change of certificate directly affects the receive\/send connectors.<\/li><li><strong>Edge Transport<\/strong><br>If edge servers are involved, a certificate swap can affect EdgeSync communication (LDAPS 50636) and thus disrupt the synchronization of configuration and recipient data.  <\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34c99ff elementor-widget elementor-widget-text-editor\" data-id=\"34c99ff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>TLS certificates used on Edge Transport servers are particularly sensitive. The self-signed Exchange default certificate is used for EdgeSync, among other things. Accidentally confirming the option &#8220;Overwrite default SMTP certificate?&#8221; when activating a new certificate leads to a re-encryption of the ADLDS data and thus to a break in EdgeSync synchronization.  <\/p><p>Recommendation: Use a public certificate for SMTP that <strong>does not<\/strong> overwrite the standard self-signed certificate for EdgeSync.<\/p><p><style>\na {<br\/>\n    text-decoration: none;<br\/>\n    color: #464feb;<br\/>\n}<br\/>\ntr th, tr td {<br\/>\n    border: 1px solid #e6e6e6;<br\/>\n}<br\/>\ntr th {<br\/>\n    background-color: #f5f5f5;<br\/>\n}<br\/>\n<\/style><\/p><div>Frank Carius illustrates on MSXFAQ how a <a href=\"https:\/\/www.msxfaq.de\/exchange\/e2013\/exchange_edge_zertifikattausch.htm\" target=\"_blank\" rel=\"noopener\">certificate exchange<\/a> at the Edge affects both <strong>SMTP\/STARTTLS<\/strong> and the <strong>LDAPS binding<\/strong> and which checks\/steps are necessary.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c3f01cd elementor-widget elementor-widget-heading\" data-id=\"c3f01cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"The_dilemma_no_integrated_official_solution_in_Exchange\"><\/span>The dilemma: no integrated, official solution in Exchange<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-28a7097 elementor-widget elementor-widget-text-editor\" data-id=\"28a7097\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>ACME is the standard for free and many commercial automation channels. Validation must be repeated regularly, and from 2029 it must even be possible to use it again within 10 days (DCV). <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af4f43f elementor-widget elementor-widget-text-editor\" data-id=\"af4f43f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>Microsoft describes the certificate procedures (such as creating CSRs, importing and assigning services) in EAC and in the Exchange Management Shell. However, fully automated lifecycle management for public certificates is not integrated, so you create and manage them manually or by script, including service assignment per server and service. The basics of certificates, protocols (TLS 1.2 by default, ECC ciphers preferred) and service dependencies are well documented, but automation paths for public CAs are not.  <\/p><p>This is in line with market developments: The shorter runtimes are driving automation, exactly what Apple and Google have been calling for for years. In 2025, the course has now finally been set. <\/p><p>In short: workarounds are possible, but there is no &#8220;official&#8221; end-to-end automation in Exchange.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4548eb5 elementor-widget elementor-widget-heading\" data-id=\"4548eb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Validation_of_domain_sovereignty\"><\/span>Validation of domain sovereignty<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c807c45 elementor-widget elementor-widget-text-editor\" data-id=\"c807c45\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>ACME is the standard for free and many commercial automation paths. Validation must be renewed regularly, and from 2029 it must even be possible to perform it again within 10 days (DCV). <\/p><p>ACME supports the following challenge types for validating a domain (DCV)<\/p><ul><li><a title=\"Learn more about HTTP-01-Challenge\" href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/#http-01-challenge\" target=\"_blank\" rel=\"noopener\"><strong>HTTP-01<\/strong><\/a><br>Token via port 80 at <em><strong>\/.well-known\/acme-challenge\/&#8230;.<\/strong><\/em> <br>Simple, but it requires a<strong> publicly<\/strong> accessible web server (and port 80 in incoming traffic).<br><strong>No<\/strong> wildcards.<\/li><li><a title=\"Find out more about the DNS-01 Challenge\" href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/#dns-01-challenge\" target=\"_blank\" rel=\"noopener\"><strong>DNS-01<\/strong><\/a><br>TXT record under <em><strong>_acme-challenge.&lt;domain&gt;<\/strong><\/em>. <br>Allows the use of wildcards and works without a publicly accessible web server. Ideal for DMZ environments or situations where TCP port 80 is not provided, but requires a DNS automation API or manual management. <\/li><li><a title=\"Learn more about TLS-ALPN-01\" href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/#tls-alpn-01\" target=\"_blank\" rel=\"noopener\"><strong>TLS-ALPN-01<\/strong><\/a><br>Special response via ALPN on port 443. Niche topic, often not supported, but interesting for certain topologies. <\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-697acff elementor-widget elementor-widget-heading\" data-id=\"697acff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"What_does_this_mean_for_you_as_an_Exchange_Admin\"><\/span>What does this mean for you as an Exchange Admin?<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d736230 elementor-widget elementor-widget-text-editor\" data-id=\"d736230\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>The upcoming changes to the certificate terms pose special challenges. It is therefore important that we start our preparations early. <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d3f4102 elementor-widget elementor-widget-heading\" data-id=\"d3f4102\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Rethinking_architecture\"><\/span>Rethinking architecture<span class=\"ez-toc-section-end\"><\/span><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-31d5603 elementor-widget elementor-widget-text-editor\" data-id=\"31d5603\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Separate responsibilities<\/strong><br>An external automation point is required for public TLS certificates, for example a reverse proxy, a web gateway or a separate certificate hub that is positioned outside the Exchange subnet. This system uses ACME to communicate with the CA and distributes the certificates internally, avoiding the direct connection between the CA and the Exchange server. <\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4aa57a9 elementor-widget elementor-widget-text-editor\" data-id=\"4aa57a9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul>\n<li><strong>Edge Transport special features<\/strong><br>Plan to change SMTP certificates more frequently. The Edge requires a public certificate for SMTP (Partner-TLS, MTA-STS\/Policy-Checks), but you must not simply overwrite the self-signed certificate for EdgeSync. &nbsp;  Since edge transport servers are located in the perimeter network, this makes communication with the TLS ACME endpoint more difficult.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a6b42be elementor-widget elementor-widget-heading\" data-id=\"a6b42be\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Establish_processes_for_frequent_changes\"><\/span>Establish processes for frequent changes<span class=\"ez-toc-section-end\"><\/span><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-294887f elementor-widget elementor-widget-text-editor\" data-id=\"294887f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Standardize namespaces &amp; SANs<\/strong><br>Clearly structured, short certificate subject alternative names (such as <em>mail.contoso.tld,<\/em> <em>autodiscover.contoso.tld<\/em>) facilitate the reissue of certificates and comply with best practices for Exchange namespaces.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a2a09f9 elementor-widget elementor-widget-text-editor\" data-id=\"a2a09f9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>Cascaded distribution<\/strong><br>Certificates should be generated and renewed centrally (ACME client, commercial tools), exported as a PFX file with a strong password, automatically distributed to all Exchange servers and activated (IIS, SMTP, POP\/IMAP).  <\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-368e325 elementor-widget elementor-widget-heading\" data-id=\"368e325\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Establish_processes_for_frequent_changes-2\"><\/span>Establish processes for frequent changes<span class=\"ez-toc-section-end\"><\/span><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4a9e820 elementor-widget elementor-widget-text-editor\" data-id=\"4a9e820\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>ACME via DNS-01<\/strong><br>If Exchange does not have an Internet connection, we can use a DNS automation path (provider API) controlled by a management host in the perimeter network. This host takes over the challenge, obtains the certificate, exports the PFX file and starts remoting for the certificate distribution. <\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53036a1 elementor-widget elementor-widget-text-editor\" data-id=\"53036a1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>PowerShell as a &#8220;crutch<\/strong>&#8220;<br>scripts are still very useful (CSR, Import, Enable), but without events\/retry\/secrets management they can be a bit fragile. Especially after 47 days, the use is simply too frequent, which increases the risk. <\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2dd23d5 elementor-widget elementor-widget-heading\" data-id=\"2dd23d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Stumbling_blocks\"><\/span>Stumbling blocks<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a9d3eba e-flex e-con-boxed e-con e-parent\" data-id=\"a9d3eba\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d0d0248 elementor-widget elementor-widget-text-editor\" data-id=\"d0d0248\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ol><li><strong>EdgeSync breaks after certificate change<\/strong><br>Symptom: EdgeSync synchronization stops, hybrid mail flow is disrupted. <br>Cause: Incorrect certificate for LDAPS, as the default certificate has been overwritten. <br>Solution: Leave self-signed for EdgeSync intact (default certificate of the transport service), activate the public SMTP certificate separately and do not overwrite it.  <\/li><li><strong>AutoDiscover\/Outlook reports certificate warnings<\/strong><br>Cause: SANs incomplete, certificate not distributed to all CAS\/mailbox servers, old thumbprint still active.<br>Solution: Standardize SAN set, distribute centrally, execute <em>Enable-ExchangeCertificate -Services IIS<\/em> cleanly everywhere and subsequent Outlook\/AutoDiscover tests.<\/li><li><strong>HTTP-01 not possible<\/strong><br>Cause: Hard restriction for incoming TCP 80 connections to the perimeter network<br>Solution: DNS-01 with API automation, taking into account TTL\/propagation settings and retry logic to make the process error-free.<\/li><li><strong>Wildcards required <\/strong><br>Solution: Only DNS-01 allows wildcards. Check whether wildcards are really necessary. Precise SANs are more secure.  <\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6cc88ab elementor-widget elementor-widget-heading\" data-id=\"6cc88ab\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"What_the_term_reduction_means_in_practice\"><\/span>What the term reduction means in practice<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a4cfc43 elementor-widget elementor-widget-text-editor\" data-id=\"a4cfc43\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul><li><strong>2026<\/strong> \u21d2 200 days: You change certificates at least twice a year. Manual calendar reminders are still sufficient, but easy to overlook. <\/li><li><strong>2027<\/strong> \u21d2 100 days: 4\u00d7 per year. If you do not use automation, unexpected failures may occur. <\/li><li><strong>2029<\/strong> \u21d2 47 days\/10 days DCV 8-12\u00d7 per year. Manual management is not ideal in the long term. Automation is becoming increasingly important.    <\/li><\/ul><p> <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-085cd66 elementor-widget elementor-widget-text-editor\" data-id=\"085cd66\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>When we talk about shortening, it is often emphasized that shorter runtimes reduce the attack window, make the withdrawal of certificates (recovation) appear less critical and increase crypto-agility, such as the rapid change of algorithms. The security benefit is definitely there and really noticeable. However, it is important that your processes there also keep pace so that everything works optimally.    <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-db4f6b4 elementor-widget elementor-widget-heading\" data-id=\"db4f6b4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2a0ce92 elementor-widget elementor-widget-text-editor\" data-id=\"2a0ce92\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p>The decision of the CA\/B forum members (incl. Apple, Google, Microsoft, Mozilla) is final. Public TLS certificates are only valid for a short time. <\/p><p>Although Exchange provides useful manual tools, it does not offer integrated, fully automated lifecycle management with a public CA connection. This means that some challenges remain. Unless you use automation outside of Exchange, for example with ACME, to create a solid foundation and integrate the distribution and activation step-by-step using scripts. This can be well planned, but requires discipline and a clear separation between the automation processes that lead to the Internet and the internal Exchange environment, especially when using Edge Transport.   <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Starting March 15, 2029, public TLS certificates will be limited to a maximum validity of 47 days. This change was agreed upon by the CA\/Browser Forum through Ballot SC-081v3, with Apple proposing it and all major browser makers giving their support. For Exchange Server, managing certificates manually can sometimes cause mistakes, so having real automation [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":9516,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[136,43],"tags":[],"class_list":["post-9517","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exchange-hybrid","category-exchange-server-en"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/exchangeforitpros.blog\/wp-content\/uploads\/2026\/01\/TLS_Certificate_Horror.webp","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/posts\/9517","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/comments?post=9517"}],"version-history":[{"count":3,"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/posts\/9517\/revisions"}],"predecessor-version":[{"id":9520,"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/posts\/9517\/revisions\/9520"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/media\/9516"}],"wp:attachment":[{"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/media?parent=9517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/categories?post=9517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exchangeforitpros.blog\/en\/wp-json\/wp\/v2\/tags?post=9517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}