Windows 2008 & Exchange 2007 – Renewing an Existing SSL Certificate on your client access server…

Posted by: Andy Grogan | July 13, 2008

Windows 2008 & Exchange 2007 – Renewing an Existing SSL Certificate on your client access server…

SSL certificates are issued for periods of spanning a number of years (typically in multiples for example 1, 2 or more years – however eventually they do expire and need to be renewed.

The renewal process involves generating a fresh CSR (Certificate Signing Request) on one of your Exchange Client Access servers – this is then sent to a root certification authority (for example VeriSign or Thwate) for processing into a valid SSL certificate (essentially they sign the request).

In order to generate a CSR file on the Exchange 2007 Client Access Servers and Windows 2008 open the Exchange Management Shell [ START -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell ] and type the following command:

New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 1024 -SubjectName “c=GB, s=Middx, l=MyCompany, ou=IT, cn=mail.mydomain.com” -PrivateKeyExportable $True

The string that you provide after the “-SubjectName” switch is VERY important it is made up of the following values:

c= [This is the Country of origin]

s= [This is the state (that you are in)]

i= [This is the company that you work for - or indeed the SSL certificate will be assigned to - you should note that if you ave purchased SSL certificates before it is worth ensuring that the company naming convention is consistent throughout all certificates that you have purchased]

ou= [This is the organisation unit that the section of the company which will take charge of the certificate - typically I enter in "IT" for this value]

cn= [This should be set to the DNS FQDN of the Client Access server which will be using the certificate - for example "OWA.mydomain.com" or "mail.mydomain.com"

This will produce a file in the root of c:\ on the CAS server called “myReq.csr” – this should be sent to Thwate.

When the CSR has been generated you will be provided with a CRF (Certificate Response File) which looks like the following (this will be returned to you via e-mail):

You should copy the CRF (including the “Begin Certificate” and “End Certificate”) into a text file called “Owa.txt” and then rename the file “owa.cer” – you should then copy this file up to a drive on the CAS server where you are working.

Installing the Certificate on your Client Access Server:

Firstly you need to remove the existing (expired) SSL certificate from your Client Access Server - in order accomplish this you need to perform the following steps:Open the Exchange Management Shell [ START -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell ]

Then type in the following command:

Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt

This will create a text file in the root of C:\ called “certs.txt” which contains the details of every certificate install on the server – the output should look like the following:

The key property that will identify the certificate that you wish to replace is the “Not After” field – as this is essentially the expiry date and should have already expired or indeed be very close to expiring.Make a note of the thumbprint (the long number at the bottom after the “thumbprint” field) and then type in the following command:

Remove-ExchangeCertificate –thumbprint <The Thumb Print that you noted down>

As a tip here is to copy the thumbprint from the text file above and then paste it into the Powershell Window.When you have typed the command and pressed enter you will be presented with the confirmation message – see below;

Confirm

Are you sure you want to perform this action?

Remove certificate with thumbprint 138B6EC5AAE868F495ECCBDA05C1F011B08A7CD3?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help(default is “Y”):y

Confirm the action by entering “a” and then press <ENTER>

You are now ready to import the new certificate onto the Client Access Server – in order to do this type in the following command within the Powershell window (ensure that the path you specify to the certificate file matches the location where you placed the new certificate in the earlier steps:

Import-ExchangeCertificate -path e:\certificates\owa.cer –FriendlyName “owa.mydomain.com”

You should then be presented with the following output – again here you will need to make a note of the thumbprint:

Thumbprint Services Subject

———- ——– ——-

B52842F7408772B7151FF74FDAE914EA7B59B53A ….. CN=owa.mydomain.com,…

Now that the certificate has been imported into the certificates repository you need to enable it for OWA – in order to do this run the following command in the
Powershell window:

Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS

The new certificate should now be installed you can confirm this by running the following command:

Get-ExchangeCertificate

The output of which should be:

Thumbprint Services Subject

———- ——– ——-

B52842F7408772B7151FF74FDAE914EA7B59B53A …W. CN=owa.mydomain.com,…

The key thing here to note is the “W” under services (this signifies that the cert has been enabled for OWA) and that the thumbprint matched what you have typed in previously.

Posted in Client Access Server, Exchange 2007, Exchange Information, Exchange Support, Exchange Tips, Powershell, Security, Windows 2008 | Tags: Client Access Servers, Exchange 2007, SSL Certificates

Responses

[...] View original post here: Windows 2008 & Exchange 2007 – Renewing an Existing SSL … [...]
By: Windows 2008 & Exchange 2007 - Renewing an Existing SSL … on July 13, 2008
at 3:51 pm

Reply
[...] Windows 2008 & Exchange 2007 – Renewing an Existing SSL Certificate on your client access server… [...]
By: Weekend reading - subject: exchange on July 24, 2008
at 9:06 pm

Reply
Excellent Post and guide.

It worked beautifully and without a hitch.

Thanks

Chris
By: Chris on November 15, 2008
at 7:07 am

Reply
Great post!

My Thawte cert is also due for renewal, I use it for OWA only. Im not sure if my original CSR was generated through IIS or directly with Exchange 07 management shell. I know how to do it both ways but not sure if it makes a difference or if it will cause problems. My preferred option is through Exchange.

Any tips?

Lee
By: Lee on January 20, 2009
at 3:24 am

Reply
Pls ignore last request, this has worked perfect!

Thanks again

Lee
By: Lee on January 21, 2009
at 9:51 am

Reply
Not sure if it’s a Server 2008 thing but as yours is the only article I could find on replacing (rather than first time installing) an SSL cert I thought I’d give it a go on Server 2003.
In this environment I found I had to import the new cert, enable it for the required services (“do you want to overwrite…”) and then remove the old cert. If I tried in the sequence you describe, I’d receive an error message relating to the internal transport certificate.
Hopefully that helps someone else if they have a similar problem.
By: Dan on January 29, 2009
at 10:45 am

Reply
THANK YOU!!!
This was a great help. Thank you again for taking the time to help others like myself that are not exchange masters. This took me a total of maybe 10minutes. Worked perfectly! I only had one issue with a “-“ that I needed to remove on the thumbprint and I was off and going perfectly. THANKS AGAIN!!!
By: Jonny on March 17, 2009
at 9:45 pm

Reply
[...] blog is loosely based on these sites http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-cer... http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html [...]
By: Request certificate using Exchange Management Shell « Ståle Hansen’s Blog on May 11, 2009
at 12:03 am

Reply
I get (reson: Privitekeymissing)
By: john on May 17, 2009
at 7:46 pm

Reply