First you need to know that the purpose of the protection certificate is to secure all data that passes between the server and the user in an encrypted and private way so that it cannot exploited by a hacker.
Dealing with security certificates is a sensitive process that may stop some of your services if you do not pay attention, so I have added some notes that may help you to avoid such problems.
This article includes some things like:
SSL Certificate Action Plan
Firstly, obtain a certificate from any certificate issuing authority such as Verisign, Godaddy, DigiCert etc...
which is done by accessing the internet site for the certificate authority and checking out the required certificate. In our case, we will use an UCC certificate from godaddy valid for 2 years and every 2 years we will renew it. Here are the required steps for configuring the certificate:
New-ExchangeCertificate -generaterequest -subjectname "c= Yemen,o= ABC Company LTD ,ou=Information Technology,cn= mail.Domain.com" -domainname EX0.Domain.com,mail1.Domain.com,autodiscover.Domain.com,EX01.Domain.com -FriendlyName ExchangeCert -PrivateKeyExportable $true -Keysize 2048 -path c:\certrequest.txt
information |
Value |
Abbreviation on shell |
notes |
Common Name |
mail.Domain.com |
cn |
|
Subject Alternative names |
EX0.Domain.com
mail1.Domain.com
autodiscover.Domain.com
EX01.Domain.com |
S
|
Insert the number of names that needed to be secured by this certificate |
Organization |
ABC Company LTD |
O |
|
Department |
Information Technology |
ou |
|
City |
Mukalla |
I |
|
State |
Hadramout |
s |
|
Country |
Yemen |
c |
|
Key Size |
2048 |
5. The CSR will be saved to c:\certrequest.txt. Open it, and copy the entire contents into Godady.com as
a step of buying process for the certificate>>Select Exchange Server software >>Specify the email which will
receive the certificate >>Checkout
6. After that you can download your new SSL certificate from Godaddy.com>>Manage SSL Certificate page and you can proceed with exchange server SSL installation steps
*Sign in to godaddy.com and you can also manage your SSL certification from here
and you can add or remove alternative names as shown here.
How to Complete the CSR in Exchange though the GUI
1-downloaded new (issued) certificate
2-Open Exchange Management Console
3-Open Server Configuration >>Select Complete bending Request1. Copy the certificate that you downloaded from godaddy.com and save it to local disc C:\
2. Start the Exchange Management Shell
3. Use import and enable commands:
Import-ExchangeCertificate -Path C:\mail_ssl-tutorials_com.cer
Enable-ExchangeCertificate -Services “SMTP, IMAP, POP, IIS”
This should be import and enabled for the following services: (SMTP, IMAP, POP3 and IIS)
4. To verify that your certificate is enabled, you can enter the following command:
Get-ExchangeCertificate -DomainName Domain.com
As a result, you will see the certificate thumbprint,
5. If the certificate was not enabled properly, re-enable it with command indicating the certificate thumbprint:
Enable-ExchangeCertificate -Thumbprint [thumbprint value] -Services “SMTP, IMAP, POP, IIS”
6. You will see overwrite confirmation "Overwrite existing default SMTP certificate" - click YES to all
If you received the certification with the file extension *.crt , you may also need to import intermediate and root certificates by using the certificates mmc snap-in.
If you received the certification with file extensions *.cer, *.p7b, *.p7s, all intermediate certificates will be already included in the certificate file.
7. Restart the service and check if the certificate and services are working properly.
You may need to reboot the whole system after importing intermediate certificates inside the certificates snap-in if you face service breakdown.
8. Go to your Firewall system (UTM ,NXG,TMG...etc ) certificates area and import the same certificate to use this certificate during publishing roles like OWA, outlookanywhere, POP3 and IMAP.
For more info, please refer to:
Tips:
Tip1: Renewing SSL CERT-IIS web server will cause OWA to breakdown if you renew SSL incorrectly
Get-ExchangeCertificate |FL
remove-ExchangeCertificate -Thumbprint [thumbprint value]
Tip2: How to use 1 SSL Certification for Multiple Exchange Servers
Just Export SSL Cert + Private Key from Ex01 to Ex02
Exporting from EX01 :
you can export it through EMC or EAC >Server configuration >Exchange Certificate >Export
add location and password..
or
you can use command shell on EX01 :
Export-ExchangeCertificate -Thumbprint 5113ae023 972409238481d019862867473897fsde -FileName "C:\Copy\exported_cert.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String 'pass@123' -AsPlainText -Force)
Importing to the second EX02 exchange server :
you can export it through EMC or EAC >Server configuration >Exchange Certificate >Import
select location and password..
or
Import-ExchangeCertificate -Server Ex02-FileName" \C:\Copy\exported_cert.pfx" -Password (ConvertTo-SecureString -String 'pass@123' -AsPlainText -Force)
or
you can use MMC for importing
On the Exchange, run mmc.exe and add the certificates to the console >Computer account >
Local Computer > click Finish
return to the console and expand as below
Import your the certificate that you saved before with the same password that you used before
Save the certificate in the Personal certificate store.
I hope this article helps you in planning well for this process and avoiding any problems caused by it
If this topic helps you, please do like the article.
Thank you
Hani Alhabshi
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)