Action Plan for adding an SSL Certificate to Exchange Server

First you need to know that the purpose of the protection certificate is to secure all data that passes between the server and the user in an encrypted and private way so that it cannot exploited by a hacker.

Dealing with security certificates is a sensitive process that may stop some of your services if you do not pay attention, so I have added some notes that may help you to avoid such problems.

This article includes some things like:

• How to request Cert Req
• How to import & install
• How to check
• Tips

SSL Certificate Action Plan

Firstly, obtain a certificate from any certificate issuing authority such as Verisign, Godaddy, DigiCert etc...

which is done by accessing the internet site for the certificate authority and checking out the required certificate. In our case, we will use an UCC certificate from godaddy valid for 2 years and every 2 years we will renew it. Here are the required steps for configuring the certificate:

1. Register your account at http://www.godaddy.com
2. Go to SSL Plans https://ie.godaddy.com/web-security/ssl-certificate  and select UCC cert type
3. Select valid for 2 years for example
4. provide the domain names to secure:(EX0.Domain.com,mail1.Domain.com,autodiscover.Domain.com,EX01.Domain.com, mail.Domain.com ..) 
5. We should create CSR (certificate signing request) first.
6. Install an SSL certificate on Exchange using PowerShell

How to Create a Certificate Request with Microsoft Exchange Management Shell

1. Open the Exchange Exchange Management Shell. 
2. At Management Shell command line, type the following command     
3. 
   

   New-ExchangeCertificate -generaterequest -subjectname "c= Yemen,o= ABC Company LTD ,ou=Information Technology,cn= mail.Domain.com" -domainname EX0.Domain.com,mail1.Domain.com,autodiscover.Domain.com,EX01.Domain.com -FriendlyName ExchangeCert -PrivateKeyExportable $true -Keysize 2048 -path c:\certrequest.txt
   
   

4. Replace the information in the command above with your correct organization details:
   
   
   

   information	Value	Abbreviation   on shell	notes
   Common   Name	mail.Domain.com	cn
   Subject   Alternative names	EX0.Domain.com mail1.Domain.com autodiscover.Domain.com EX01.Domain.com	S	Insert the number of names that needed to be secured by this certificate
   Organization	ABC Company LTD	O
   Department	Information  Technology	ou
   City	Mukalla	I
   State	Hadramout	s
   Country	Yemen	c
   Key   Size	2048

      5. The CSR will be saved to c:\certrequest.txt. Open it, and copy the entire contents  into Godady.com as 

       a step of    buying process for the certificate>>Select Exchange Server software >>Specify the email which will 

       receive the certificate  >>Checkout 

      6. After that you can download your new SSL certificate from Godaddy.com>>Manage SSL Certificate page and you can proceed with exchange server SSL installation steps

*Sign in to godaddy.com and you can also manage your SSL certification from here
 and you can add or remove alternative names as shown here.

How to Complete the CSR in Exchange though the GUI 

1-downloaded new (issued) certificate

2-Open Exchange Management Console

1. Copy the certificate that you downloaded from godaddy.com and save it to local disc C:\

2. Start the Exchange Management Shell

3. Use import and enable commands:

Import-ExchangeCertificate -Path C:\mail_ssl-tutorials_com.cer

Enable-ExchangeCertificate -Services “SMTP, IMAP, POP, IIS”  

This should be import  and enabled for the following services: (SMTP, IMAP, POP3 and IIS)
 

4. To verify that your certificate is enabled, you can enter the following command:

Get-ExchangeCertificate -DomainName Domain.com

As a result, you will see the certificate thumbprint,

5. If the certificate was not enabled properly, re-enable it with command indicating the certificate thumbprint:

Enable-ExchangeCertificate -Thumbprint [thumbprint value] -Services “SMTP, IMAP, POP, IIS”

6. You will see overwrite confirmation  "Overwrite existing default SMTP certificate" - click YES to all

If you received the certification with the file extension  *.crt , you may also need to import intermediate and root certificates by using the certificates mmc snap-in.

If you received the certification with file extensions  *.cer, *.p7b, *.p7s,  all intermediate certificates will be already included in the certificate file.

7. Restart the service and check if the certificate and services are working properly.

You may need to reboot the whole system after importing intermediate certificates inside the certificates snap-in if you face service breakdown.

8. Go to your Firewall system (UTM ,NXG,TMG...etc ) certificates area  and import the same certificate to use this certificate during publishing roles like OWA, outlookanywhere, POP3 and IMAP.

For more info, please refer to:

• https://www.kinamo.be/en/support/faq/microsoft-exchange-2010-generate-ssl-certificate-request-csr
• https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-exchange-2007-using-powershell/
• https://www.digifloor.com/ssl-certificate-microsoft-exchange-server-10
  
  

Tips:
Tip1: Renewing SSL CERT-IIS web server will cause OWA to breakdown if you renew SSL incorrectly

• Do a full backup and specially backup IIS' inetpub and config folder
• Export Old Cert.
• Make sure that the IIS is not binding to the expired cert.
• Remove the expired Cert from IIS.
• Remove the service association to the old Cert
• Remove the expired Cert from Exchange console .
• Remove from inside the certificates snapin (mmc)

Get-ExchangeCertificate |FL

remove-ExchangeCertificate -Thumbprint [thumbprint value]

• Restart IIS (iisreset /noforce).
• Upload the renewed Cert through iis by completing Cert Request or import though the power shell as above steps  
• Enable the new SSL Cert, and associate it with the services.
• Make sure that the IIS web server is binding to the new Cert.
• Make Sure that new Cert inside the certificates snapin (mmc) .
• Make sure that the IIS web server is running with https.
• Make sure that the OWA web Pages are running with https
• Check the Client Access Server's Autodiscover service and url  

Tip2: How to use 1 SSL Certification for Multiple Exchange Servers

Just Export SSL Cert + Private Key from Ex01 to Ex02 
Exporting from EX01 :
you can export it through EMC or EAC  >Server configuration >Exchange Certificate >Export  
add location and password..
 or 
you can use command shell on EX01  :

Export-ExchangeCertificate -Thumbprint 5113ae023 972409238481d019862867473897fsde -FileName "C:\Copy\exported_cert.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String 'pass@123' -AsPlainText -Force)

Importing to the second EX02 exchange server :
you can export it through EMC or EAC  >Server configuration >Exchange Certificate >Import
select location and password..
or

Import-ExchangeCertificate -Server Ex02-FileName" \C:\Copy\exported_cert.pfx" -Password (ConvertTo-SecureString -String 'pass@123' -AsPlainText -Force)

or

you can use MMC for importing

On the Exchange, run mmc.exe and add the certificates to the console >Computer account >

Local Computer > click Finish
return to the console and expand as below 

Import your the certificate that you saved before  with the same password that you used before 

Save the certificate in the Personal certificate store.

I hope this article helps you in planning well for this process and avoiding any problems caused by it
If this topic helps you, please do like the article.

Thank you
Hani Alhabshi