Skip to main content

You want to renew the WMSVC-SHA2 certificate because it’s expiring. Another reason is that the WMSVC-SHA2 certificate is missing, and the Web Management Service service can’t be started. You get errors in IIS and event logs about this. In this article, you will learn how to renew the WMSVC-SHA2 certificate in Exchange Server.

Exchange Server certificates

There are three default certificates created when Installing Exchange Server:

  • Microsoft Exchange Server Auth Certificate (self-signed)
  • Microsoft Exchange (self-signed)
  • WMSVC or WMSVC-SHA2 (depends on the Exchange Server version) (self-signed)

In addition to the above default self-signed certificates, you must install a third-party certificate which you obtain from a certification authority (CA) on the Exchange Server:

  • Third-party certificate (CA-signed)

WMSVC-SHA2 certificate error

Let’s look at what happens when the WMSVC-SHA2 certificate is missing or not attached to the Web Management Service service on the Exchange Server.

Start Windows Services Manager and select Web Management Service. Click on Start.

Start Web Management Service service

An error appears:

Windows could not start the Web Management Service on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to the service-specific error code -217483640.

Web Management Service service could not start error code -2147483640

Let’s start Internet Information Services (IIS) Manager. Click on the Exchange Server and double-click Management Service.

IIS Management Service

The SSL certificate is missing in Management Service, and there are two alerts:

  • The Management Service (WMSCV) is stopped. The service must be started to remotely manage the Web server by using IIS Manager.
  • Could no retrieve the Management Service (WMSVC) settings.
Management Service alerts

Start Event Viewer. Click on Windows Logs > Application. Filter on Event ID 1007.

The description for Event ID 1007 from source Microsoft-Windows-IIS-IISManager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE

Unable to read the certificate with thumbprint ‘9556b4f47d7c90dcc7e25163299335a825a874f0’. Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.

Process:WMSvc
User=NT AUTHORITY\LOCAL SERVICE

The message resource is present but the message was not found in the message table

Error Event 1007 IIS-IISManager

Click System and filter on Event ID 7024.

The Web Management Service service terminated with the following service-specific error:
Unspecified error

Error Event 7024, Service Control Manager

We identified that the WMSVC-SHA2 certificate is missing in Exchange Server, and that the errors appear in Event Viewer.

How to renew WMSVC-SHA2 certificate

We will create a new WMSVC certificate and attach it correctly to the Web Management Service service so everything will work as expected. If you have a WMSVC certificate that is going to expire and you want to renew it, the same steps apply.

Important: Do not delete the WMSVC (Web Management Service) certificate. The WMSVC is a self-signed certificate and is necessary for remote management of the web server.

In our example, the WMSVC certificate was accidentally deleted because the engineer thought the certificate was not attached to any Exchange Server services and was doing nothing.

Note: You have to go through all the steps on every Exchange Server where the WMSVC-SHA2 certificate is missing or where you want to renew it.

1. Create new WMSVC-SHA2 certificate

Create a new WMSVC-SHA2 certificate in Exchange Server.

Run Exchange Management Shell as administrator. Run the New-ExchangeCertificate cmdlet and fill in the details:

  • SubjectName: The subject field of the certificate request. This needs to be set as CN=WMSvc-SHA2-ExchangeServerHostName
  • FriendlyName: The friendly name of the certificate. This needs to be set as WMSCVC-SHA2.
  • Services: The services that you want to enable the self-signed certificate for. This needs to be set as None.
  • KeySize: The size (in bits) of the RSA public key. This needs to be set as 2048.
  • PrivateKeyExportable: Allows you to export/import the certificate to other Exchange Servers. This needs to be set as $true.

The only change you need to make in the below command is changing EX01-2019 to your Exchange Server hostname.

New-ExchangeCertificate -SubjectName "CN=WMSvc-SHA2-EX01-2019" -FriendlyName "WMSCVC-SHA2" -Services None -KeySize 2048 -PrivateKeyExportable $true

2. Copy new WMSVC-SHA2 certificate

Copy the new WMSVC-SHA2 certificate from the Personal store to the Trusted Root Certification Authorities store.

Start Microsoft Management Console (MMC) and add the Certificates snap-in.

Add certificates snap-in in MMC

Select Computer account and click Next.

Computer account in Certificates snap-in

Click on OK.

Finish certificate snap-in in MMC

Expand the folders Personal > Certificates. Right-click the new certificate and click on Copy.

Copy WMSVC-SHA2 certificate

Expand the folders Trusted Root Certification Authorities > Certificates. Right-click on the folder Certificates and click Paste.

Paste WMSVC-SHA2 certificate

Verify that the new WMSVC-SHA2 self-signed certificate appears in the list.

Verify WMSVC-SHA2 certificate in list

3. Verify new WMSVC-SHA2 certificate in Exchange Server

Sign in to Exchange Admin Center. Click servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization.

Verify that the new WMSVC-SHA2 certificate appears in the list and ensure no services are assigned.

WMSVC-SHA2 assigned to none Exchange Server services

4. Remove old certificate

Select the old certificate, if available, and click the delete icon in the toolbar.

You will have only one WMSVC-SHA2 certificate in the certificates list.

Check WMSVC-SHA2 certificate in Exchange Server certificates list

Go back to MMC and expand the folders Personal > Certificates. Verify that you only see one WMSVC-SHA2 Exchange certificate.

Check WMSVC-SHA2 certificate in Personal certificates list

Expand the folders Trusted Root Certification Authorities > Certificates. Right-click the old WMSVC-SHA2 certificate, if available, and click Delete.

Only the new WMSVC-SHA2 certificate needs to appear in the list.

Check WMSVC-SHA2 certificate in Trusted Root Certification Authorities certificates list

5. Assign WMSVC-SHA2 certificate to Web Management Service service

Start Internet Information Services (IIS) Manager. Click on Exchange Server > Management Service.

Select the WMSVC-SHA2 that you created in the previous step. Click Apply.

Apply WMSVC-SHA2 certificate to Management Service

Click Start.

Start Management Service (WMSVC) service

Go to Windows Services Manager and verify that the Web Management Service service is started.

Web Management Service service started

That’s it!

Leave a Reply