<

Action Plan for adding an SSL Certificate to Exchange Server

Published on
3,412 Points
412 Views
Last Modified:
This article helps you visualize what steps you should be planning when you want to add a certificate to your email server or decide to renew to the expired certificate. This was tested on Exchange 2010, but I am sure that it will apply to higher versions as well.

First you need to know that the purpose of the protection certificate is to secure all data that passes between the server and the user in an encrypted and private way so that it cannot exploited by a hacker.

Dealing with security certificates is a sensitive process that may stop some of your services if you do not pay attention, so I have added some notes that may help you to avoid such problems.


This article includes some things like:


  • How to request Cert Req
  • How to import & install
  • How to check
  • Tips



SSL Certificate Action Plan


Firstly, obtain a certificate from any certificate issuing authority such as Verisign, Godaddy, DigiCert etc...


which is done by accessing the internet site for the certificate authority and checking out the required certificate. In our case, we will use an UCC certificate from godaddy valid for 2 years and every 2 years we will renew it. Here are the required steps for configuring the certificate:


  1. Register your account at http://www.godaddy.com
  2. Go to SSL Plans https://ie.godaddy.com/web-security/ssl-certificate  and select UCC cert type
  3. Select valid for 2 years for example
  4. provide the domain names to secure:(EX0.Domain.com,mail1.Domain.com,autodiscover.Domain.com,EX01.Domain.com, mail.Domain.com ..)
  5. We should create CSR (certificate signing request) first.
  6. Install an SSL certificate on Exchange using PowerShell

How to Create a Certificate Request with Microsoft Exchange Management Shell

  1. Open the Exchange Exchange Management Shell.
  2. At Management Shell command line, type the following command    

  3. New-ExchangeCertificate -generaterequest -subjectname "c= Yemen,o= ABC Company LTD ,ou=Information Technology,cn= mail.Domain.com" -domainname EX0.Domain.com,mail1.Domain.com,autodiscover.Domain.com,EX01.Domain.com -FriendlyName ExchangeCert -PrivateKeyExportable $true -Keysize 2048 -path c:\certrequest.txt
    
    
  4. Replace the information in the command above with your correct organization details:


    information
    Value  
    Abbreviation   on shell
    notes
    Common   Name
    mail.Domain.com
    cn

    Subject   Alternative names
    EX0.Domain.com
    mail1.Domain.com
    autodiscover.Domain.com
    EX01.Domain.com


    S


    Insert the number of names that needed to be secured by this certificate
    Organization
    ABC Company LTD
    O

    Department
    Information  Technology
    ou

    City
    Mukalla
    I

    State
    Hadramout
    s

    Country
    Yemen
    c

    Key   Size
    2048



      5. The CSR will be saved to c:\certrequest.txt. Open it, and copy the entire contents  into Godady.com as

       a step of    buying process for the certificate>>Select Exchange Server software >>Specify the email which will

       receive the certificate  >>Checkout 

     

      6. After that you can download your new SSL certificate from Godaddy.com>>Manage SSL Certificate page and you can proceed with exchange server SSL installation steps

*Sign in to godaddy.com and you can also manage your SSL certification from here
 and you can add or remove alternative names as shown here.

How to install an SSL certificate on Exchange PowerShell


1. Copy the certificate that you downloaded from godaddy.com and save it to local disc C:\

2. Start the Exchange Management Shell

3. Use import and enable commands:

Import-ExchangeCertificate -Path C:\mail_ssl-tutorials_com.cer

Enable-ExchangeCertificate -Services “SMTP, IMAP, POP, IIS”  

This should be import  and enabled for the following services: (SMTP, IMAP, POP3 and IIS)
 

4. To verify that your certificate is enabled, you can enter the following command:

Get-ExchangeCertificate -DomainName Domain.com

As a result, you will see the certificate thumbprint,Text Box: New-ExchangeCertificate -generaterequest -subjectname "c= Yemen,o= ABC Yemen Company LTD ,ou=Information Technology,cn= mail.Domain.com" -domainname EX0.Domain.com,mail1.Domain.com,autodiscover.Domain.com,EX01.Domain.com -FriendlyName ExchangeCert -PrivateKeyExportable $true -Keysize 2048 -path c:\certrequest.txt

5. If the certificate was not enabled properly, re-enable it with command indicating the certificate thumbprint:

Enable-ExchangeCertificate -Thumbprint [thumbprint value] -Services “SMTP, IMAP, POP, IIS”

6. You will see overwrite confirmation  "Overwrite existing default SMTP certificate" - click YES to all

If you received the certification with the file extension  *.crt , you may also need to import intermediate and root certificates by using the certificates mmc snap-in.

If you received the certification with file extensions  *.cer, *.p7b, *.p7s,  all intermediate certificates will be already included in the certificate file.

7. Restart the service and check if the certificate and services are working properly.

You may need to reboot the whole system after importing intermediate certificates inside the certificates snap-in if you face service breakdown.

8. Go to your Firewall system (UTM ,NXG,TMG...etc ) certificates area  and import the same certificate to use this certificate during publishing roles like OWA, outlookanywhere, POP3 and IMAP.


For more info, please refer to:

Tips:
Tip1: Renewing SSL CERT-IIS web server will cause OWA to breakdown if you renew SSL incorrectly

  • Do a full backup and specially backup IIS' inetpub and config folder
  • Export Old Cert
  • Remove the service association to the old Cert
  • Remove the expired Cert from Exchange console and also from inside the certificates snapin (mmc)


Get-ExchangeCertificate |FL
remove-ExchangeCertificate -Thumbprint [thumbprint value]


  • Make sure that the IIS is not binding to the expired cert.
  • Restart IIS (iisreset /noforce).
  • Enable the new SSL Cert, and associate it with the services.
  • Make sure that the IIS web server is binding to the new Cert.
  • Make sure that the IIS web server is running with https.
  • Make sure that the OWA web Pages are running with https
  • Check the Client Access Server's Autodiscover service and url  


Tip2: How to use 1 SSL Certification for Multiple Exchange Servers


Just Export SSL Cert + Private Key from Ex01 to Ex02
Exporting from EX01 :
you can export it through EMC or EAC  >Server configuration >Exchange Certificate >Export  
add location and password..
 or
you can use command shell on EX01  :

Export-ExchangeCertificate -Thumbprint 5113ae023 972409238481d019862867473897fsde -FileName "C:\Copy\exported_cert.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String 'pass@123' -AsPlainText -Force)


Importing to the second EX02 exchange server :
you can export it through EMC or EAC  >Server configuration >Exchange Certificate >Import
select location and password..

or

Import-ExchangeCertificate -Server Ex02-FileName" \C:\Copy\exported_cert.pfx" -Password (ConvertTo-SecureString -String 'pass@123' -AsPlainText -Force)


or

you can use MMC for importing



On the Exchange, run mmc.exe and add the certificates to the console >Computer account >

Local Computer > click Finish
return to the console and expand as below 


Import your the certificate that you saved before  with the same password that you used before 

Save the certificate in the Personal certificate store.




I hope this article helps you in planning well for this process and avoiding any problems caused by it
If this topic helps you, please do like the article.

Thank you
Hani Alhabshi



 

0
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free