Today I did my annual heart-in-the-mouth exercise of updating the SSL certificates which allow me to access my Exchange accounts remotely, either over the web or via my iPhone. This is more stressful than it needs to be because there ain’t no GUI for the operation. Instead, you have to use the Exchange Command Shell.
I found a couple of good starting points on the process at http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/ and http://www.exchangeinbox.com/article.aspx?i=114. But neither explained that you have to enable the new certificate to be used by both IIS and SMTP before you can remove the old, expired certificate. Not a big deal, but worth noting.
The basic steps are:
- Generate a certificate signing request
- Acquire a certificate based on the certificate signing request (I like StartSSL)
- Import the certificate
- Get the thumbprints for the old, expiring certificate and the new one you just imported. These are necessary to enable or remove specific certificates.
- Enable the new certificate for both IIS and SMTP services
- Remove the old certificate
New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 2048 -DomainName [one or more comma-separate fully-qualified domain names, without quotes] -SubjectName “C=[country], S=[state], L=[local community], ou=[organizational unit; I usually use 'IT', without the quotes], cn=mail.mydomain.com” -PrivateKeyExportable $True
Import-ExchangeCertificate -path "[path to certificate file]"
Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt
You should be able to route the output anywhere, but for some reason I could only get this to work to the root of the C: drive.
Enable-ExchangeCertificate -thumbprint [thumbprint of new certificate] -services "iis,smtp"
You can do this in two separate steps (i.e., run it once for iis and once for smtp). If you forget to enable the certificate for the SMTP service, you won’t be able to remove the old certificate because it’s being used by the SMTP service. The actual error message refers to the Transport Service, but that’s what SMTP is for Exchange.
Remove-ExchangeCertificate -thumbprint [thumbprint of expiring certificate]
One of the reasons I like StartSSL is because, once you’ve authenticated yourself, you can get certificates for any domain you own for no additional cost. That really starts getting significant if you have multiple domains.