Request certificate using Exchange Management Shell

If you use the self-signed certificate assigned by the Exchange server itself there is a simple process to renew the certificate. You will typically get a note in the event viewer when the certificate is about to expire. Here’s a great blog that explains the process: http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

To request or renew a 3rd-party (or from internal PKI infrastructure) SAN certificate that resides on your Exchange server using EMS I found this approach being useful. In this example I used an internal PKI infrastructure to assign a certificate to my internal Exchange Servers behind a NLB cluster for the ClientAccess role. I found that if the certificate is requested through an internal PKI infrastructure the certificate is issued for a period of one year and has to be manually renewed.

  • Create a request using EMS with this command
  • New-ExchangeCertificate –GenerateRequest –SubjectName “C=net, O=msunified, CN=webmail.msunified.net” –DomainName webmail.msunified.net, webmail.msunified.local, cashub01.msunified.local, cashub02.msunified.local –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
  • Open the req file, and copy everything except
  • —–BEGIN NEW CERTIFICATE REQUEST—–
  • —–END NEW CERTIFICATE REQUEST—–
  • Navigate to you CA server using the following url: http://CA-server/certsrv
  • click “request a certificate” and then select “advanced certificate request”
  • click  “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
  • past the content in the “saved request” window
  • hit submit
    •  If you have a 2003 CA and it does not support SAN certificates you need to enable it using this command
    • CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    • Restart the certificate service and IIS
  • click “download certificate chain” and save the file
  • On the exchange server import the certificate
  • Import-ExchangeCertificate -Path c:\2009-2.p7b -FriendlyName “webmail.msunifed.net”
  • Copy the thumbprint and enable the certificate for the selected services
  • Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Export the certificate for other exchange servers having the same role with certificate chain using IIS or open the local computer personal store
  • On the other servers import using IIS
  • On the other servers rund Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Remove the old certificate with the following command Remove-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91

To renew self-signed certificates on the EDGE servers for the SMPT transport service

  • On the EDGE servers open EMS and do the following
  • Get-ExchangeCertificate | New-ExchangeCertificate (if its the only certificate on the server)
  • Remove-ExchangeCertificate -Thumbprint 1025C608027188FFA4DFAE77089D183DABACD077
  • You then have to re-establish the EDGE syncronizations with the new certificate
  • New-EdgeSubscription -FileName c:\newsub.xml
  • Copy the xml file to the internal servers
  • On the EMC for the HUB role in the organizational view, remove old edge subscription and then do a new one, specify the correct xml file
  • To synchronize the first time run from EMS the following commandlet: Start-EdgeSynchronization
  • To test the synch, run the following commandlet: Test-EdgeSynchronization

To be able to deploy SAN certificates from intern CA, you may have to extend the attributes: http://support.microsoft.com/kb/931351

This blog is loosely based on these sites
http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
http://www.exchangeinbox.com/article.aspx?i=114
http://msexchangeteam.com/archive/2007/07/02/445698.aspx

2 thoughts on “Request certificate using Exchange Management Shell

  1. Looks good but you should mentioned that this is for Self Signed certificate not for PKI Internal

  2. Hey Please ignore my above comments, this is the best article which i ever seen for renew with PKI Internal

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s