Exchange 2007, Outlook Anywhere and SSL Certificates

Today I did my annual heart-in-the-mouth exercise of updating the SSL certificates which allow me to access my Exchange accounts remotely, either over the web or via my iPhone. This is more stressful than it needs to be because there ain’t no GUI for the operation. Instead, you have to use the Exchange Command Shell.

I found a couple of good starting points on the process at and But neither explained that you have to enable the new certificate to be used by both IIS and SMTP before you can remove the old, expired certificate. Not a big deal, but worth noting.

The basic steps are:

  1. Generate a certificate signing request
  2. New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 2048 -DomainName [one or more comma-separate fully-qualified domain names, without quotes] -SubjectName “C=[country], S=[state], L=[local community], ou=[organizational unit; I usually use 'IT', without the quotes],” -PrivateKeyExportable $True
  3. Acquire a certificate based on the certificate signing request (I like StartSSL)
  4. Import the certificate
  5. Import-ExchangeCertificate -path "[path to certificate file]"
  6. Get the thumbprints for the old, expiring certificate and the new one you just imported. These are necessary to enable or remove specific certificates.
  7. Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt

    You should be able to route the output anywhere, but for some reason I could only get this to work to the root of the C: drive.

  8. Enable the new certificate for both IIS and SMTP services
  9. Enable-ExchangeCertificate -thumbprint [thumbprint of new certificate] -services "iis,smtp"

    You can do this in two separate steps (i.e., run it once for iis and once for smtp). If you forget to enable the certificate for the SMTP service, you won’t be able to remove the old certificate because it’s being used by the SMTP service. The actual error message refers to the Transport Service, but that’s what SMTP is for Exchange.

  10. Remove the old certificate
  11. Remove-ExchangeCertificate -thumbprint [thumbprint of expiring certificate]

One of the reasons I like StartSSL is because, once you’ve authenticated yourself, you can get certificates for any domain you own for no additional cost. That really starts getting significant if you have multiple domains.

Leave a Comment

Your email address will not be published. Required fields are marked *