Abstract: Sometimes you need to change the hostnames inside the SSL certificate on the Exchange 2016 server or need to renew it. This can be done via GUI, however with the proper powershell commands this is often more faster. In that howto we will create a sign request, and import that the response on the primary server and later one the whole certificate on a 2nd Exchange server.
Steps:
1.) Via the following command (might be only valid for the current howto; adjust that to your needs) we will create a new certificate request which we later one will sign with our internal CA:
New-ExchangeCertificate –DomainName excashlb.int.contoso.com,exch01.int.contoso.com,exch02.int.contoso.com,exchrr.int.contoso.com,exchdag01.int.contoso.com,owa.contoso.com,oaw.contoso.com,autodiscover.contoso.com,localhost –FriendlyName excashlb.int.contoso.com –GenerateRequest –PrivateKeyExportable $true –RequestFile "C:\00Install\SSL_Certs\certreq.txt" –Server deffmexch01 –SubjectName "cn=excashlb.int.contoso.com"
The parameter are the following:
-Server (specifies the server where we wish to generate the request)
-GenerateRequest (will prepare a 3rd party certificate request instead self-signed)
-FriendlyName(specifies what you see under the name column in the GUI)
-PrivateKeyExportable (allows you to export/import the certificate to other Exchange servers.)
-SubjectName (is the primary FQDN for the certificate)
-DomainName (are the subject alternate names for the certificate, separated via "," without any space)
-RequestFile (specifies the export file for the certificate request)
2.) Now submit the certificate request to your internal Microsoft CA (use a website template) and once you got back the certificate store it as exchange.cer in C:\00Install\SSL_Certs
3.) We need to complete the certificate request now and will import that certificate via:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\00Install\SSL_Certs\exchange.cer -Encoding byte -ReadCount 0))
This will show the thumbprint, you need that later one when assigning that cert to the services in the next step.
4.) We will assign that certificate now to our exchange services. In our
Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMT -Thumbprint <ID> -NetworkServiceAllowed
Note: Replace the <ID> with the thumbprint you got. You might also find that via Get-ExchangeCertificate
Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMTP -Thumbprint 6C941FA21EA47AA280C54C3233F4027D7C7C32BF -NetworkServiceAllowed
Note: You are asked to replace the default SMTP certificate which we accept!
5.) Now we will check our work if we open the a URLs via a web Browser the SSL cert should be fine on that server:
https://exch01/autodiscover/autodiscover.xml
6.) The next step is now to export this certificate (to import hat on our 2nd exchange server) so on our 1st server we run:
Export-ExchangeCertificate -Thumbprint 39AEBE22D1CE1E240DC9310CC3DAFEC67F51A131 -FileName "C:\00Install\SSL_Certs\Exchange_Cert.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)
7.) On the 2nd exchange server place the exported certs from the 1st exchange server to C:\00Install\SSL_Certs\ then run:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\00Install\SSL_Certs\Exchange_Cert.pfx" -Encoding byte -ReadCount 0)) -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)
8.) And then assign the same services as we have done on 01 to that cert. As the thumbprint is the same, we can run exactly the same command:
Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMT -Thumbprint <ID> -NetworkServiceAllowed
Note: Replace the <ID> with the thumbprint you got. You might also find that via Get-ExchangeCertificate
Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMTP -Thumbprint 6C941FA21EA47AA280C54C3233F4027D7C7C32BF -NetworkServiceAllowed
Note: You are asked to replace the default SMTP certificate which we accept!
If somewhing isn´t working as expected, you can redo the steps above and later one delete/remove the wrong certificate via:
Remove-ExchangeCertificate -Thumbprint 39AEBE22D1CE1E240DC9310CC3DAFEC67F51A131
