• Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
  • Home
  • About
  • Impressum
Toggle navigation
Admin Enclave
  • Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
Home
/
Articles
/
Office 365
/
Data-Articles
/
Website Articles
/
Articles
/
Exchange
/
Manage the SSL certificate on Exchange 2016 via Powershell

Manage the SSL certificate on Exchange 2016 via Powershell

Bastian W.Jul 19, 2016Articles \ Exchange

Abstract: Sometimes you need to change the hostnames inside the SSL certificate on the Exchange 2016 server or need to renew it. This can be done via GUI, however with the proper powershell commands this is often more faster. In that howto we will create a sign request, and import that the response on the primary server and later one the whole certificate on a 2nd Exchange server.

Steps:

1.) Via the following command (might be only valid for the current howto; adjust that to your needs) we will create a new certificate request which we later one will sign with our internal CA:

New-ExchangeCertificate –DomainName excashlb.int.contoso.com,exch01.int.contoso.com,exch02.int.contoso.com,exchrr.int.contoso.com,exchdag01.int.contoso.com,owa.contoso.com,oaw.contoso.com,autodiscover.contoso.com,localhost –FriendlyName excashlb.int.contoso.com –GenerateRequest –PrivateKeyExportable $true –RequestFile "C:\00Install\SSL_Certs\certreq.txt" –Server deffmexch01 –SubjectName "cn=excashlb.int.contoso.com"

The parameter are the following:

-Server (specifies the server where we wish to generate the request)
-GenerateRequest (will prepare a 3rd party certificate request instead self-signed)
-FriendlyName(specifies what you see under the name column in the GUI)
-PrivateKeyExportable (allows you to export/import the certificate to other Exchange servers.)
-SubjectName (is the primary FQDN for the certificate)
-DomainName (are the subject alternate names for the certificate, separated via "," without any space)
-RequestFile (specifies the export file for the certificate request)

2.) Now submit the certificate request to your internal Microsoft CA (use a website template) and once you got back the certificate store it as exchange.cer in C:\00Install\SSL_Certs

3.) We need to complete the certificate request now and will import that certificate via:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\00Install\SSL_Certs\exchange.cer -Encoding byte -ReadCount 0))

This will show the thumbprint, you need that later one when assigning that cert to the services in the next step.

4.) We will assign that certificate now to our exchange services. In our

Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMT -Thumbprint <ID> -NetworkServiceAllowed

Note: Replace the <ID> with the thumbprint you got. You might also find that via Get-ExchangeCertificate

Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMTP -Thumbprint 6C941FA21EA47AA280C54C3233F4027D7C7C32BF -NetworkServiceAllowed

Note: You are asked to replace the default SMTP certificate which we accept!

5.) Now we will check our work if we open the a URLs via a web Browser the SSL cert should be fine on that server:

https://exch01/autodiscover/autodiscover.xml

6.) The next step is now to export this certificate (to import hat on our 2nd exchange server) so on our 1st server we run:

Export-ExchangeCertificate -Thumbprint 39AEBE22D1CE1E240DC9310CC3DAFEC67F51A131 -FileName "C:\00Install\SSL_Certs\Exchange_Cert.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

7.) On the 2nd exchange server place the exported certs from the 1st exchange server to C:\00Install\SSL_Certs\ then run:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\00Install\SSL_Certs\Exchange_Cert.pfx" -Encoding byte -ReadCount 0)) -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

8.)  And then assign the same services as we have done on 01 to that cert. As the thumbprint is the same, we can run exactly the same command:

Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMT -Thumbprint <ID> -NetworkServiceAllowed

Note: Replace the <ID> with the thumbprint you got. You might also find that via Get-ExchangeCertificate

Enable-ExchangeCertificate -Services IIS,IMAP,POP,SMTP -Thumbprint 6C941FA21EA47AA280C54C3233F4027D7C7C32BF -NetworkServiceAllowed

Note: You are asked to replace the default SMTP certificate which we accept!

 

If somewhing isn´t working as expected, you can redo the steps above and later one delete/remove the wrong certificate via:

Remove-ExchangeCertificate -Thumbprint 39AEBE22D1CE1E240DC9310CC3DAFEC67F51A131

Kommentare (0)

There are no comments posted here yet

Einen Kommentar verfassen

  1. Posting comment as a guest.
Anhänge (0 / 3)
Share Your Location

2016 - MS ExchangeExchange 2016

Follow me on Twitter

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Freitag, 20. März 2020
  • Update TPM Firmware on Windows 10 1909

    Samstag, 15. Februar 2020
  • Switch your PC from BIOS to UEFI

    Dienstag, 07. Januar 2020
  • WLAN 6 (AX) released

    Montag, 23. September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Samstag, 23. März 2019

Tags

Exchange 20162016 - MS ExchangeServer 2015Hardening2016 - MS Skype for Business Server 2017 - MS WindowsWindows Server 2012Windows2017 - MS ExchangeExchange 20132016 - MS Windows2013Exchange2017 - MS Skype for Business Server 2016 - MS SharepointRaspberry PiMicrosoftOpenHABHomeMatic2017 - MS Sharepoint

Archive

      • How to connect a Osram On/Off Plug with Phoscon/deCONZ
      • Update TPM Firmware on Windows 10 1909
      • Upgrade the BIOS from an ReadyNAS device
      • Switch your PC from BIOS to UEFI
      • WLAN 6 (AX) released
      • [ReSolved] Get-MailboxRestoreRequest matches multiple entries and couldn´t be performed
      • Use deCONZ to perform an OTA firmware update of OSRAM devices
      • Remove the Transparent Data Encryption (TDE) from a SQL DB
      • Install OpenHAB 2.4.x on Raspberry Pi (on Debian 9 - Stretch)
      • Windows 10 Driver for HP EliteBook 2570p Notebook-PC
      • Windows 10 Driver for HP EliteBook 850 G1 Notebook
      • Windows 10 Driver for HP EliteBook 8570p Notebook
      • Windows 10 Driver for IBM Thinkpad T560 Notebook
      • Windows 10 Driver for HP EliteBook 850 G5 Notebook
      • Windows 10 Driver for Lenovo T560 Notebook
      • Add an additional Sharepoint Admin to every Site Collection via Powershell
      • Do not install .NET Framework 4.7.2 on Exchange Servers yet
      • [Resolved] Unable to Migrate User to O365 due to "Target user 'XYZ' already has a primary mailbox"
      • Migrate SharePoint Elements to SharePoint Online
      • Microsoft Exchange OU picker is empty when creating new user or group
      • Exchange Online Powershell failed to connect when using MFA
      • Move-DatabasePath caused a "WMI exception occurred on server XY: Quota violation"
      • Privacy Policy
      • D:\AdvancedDataGovernanceLogs created on Exchange 2016
      • After May 2018 security update "An authentication error occurred" using RDP
      • Find out which .NET Framework version is installed
      • Install OpenHAB 2.0.x on Raspberry Pi (on Debian 9 - Stretch)
      • Convert a *.pfx certificate into *.pem
      • Changing last modified and creation date or time via PowerShell
      • Multidimensional arrays in Powershell
      • HowTo create an Enterprise Wiki on SharePoint Online
      • Attention: Microsoft Office 365 will disable support for TLS 1.0 and 1.1
      • [RESOLVED] Graphics Card issue when installing BlueStacks inside VMWare
      • How to create a pkcs12 file with a ordered certificate chain?
      • Publish an S/Mime certificate to AD via Powershell
      • [RESOLVED] iOS accounts needs permission to access resources in your organization that only an admin can grant
      • [RESOLVED] Exchange 2016 CU X failed to install error 1619
      • Headless Raspberry Pi WLAN Configuration
      • How to remove all partitions on an USB stick / SD card
      • How to generate a notifications once Handbreak finished its current work?
      • Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP
      • Security Hardening: Upgrade Diffie-Hellman Prime to 2048 bit on Windows Server
      • Change a SSL Certificate on Windows Server 2012 R2 Web Application Proxy
      • Add Windows Updates to a Windows 7 SP1 image
      • When using Import-Module you got an unblock file error
      • [Resolved] Exchange admin got the error "User profile cannot be loaded" when using RDP
      • Google Chrome browser to deprecate trust in existing Symantec-issued certificates
      • [RESOLVED] Error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY when using Google Chome and OWA
      • Cumulative Update 6 for Exchange Server 2016 released
      • Windows Phone 8.1 will reach EOL on the 2017-07-11
      • .NET Framework 4.7.* and Microsoft Exchange Server
      • Disable weak cipher (e.g. 3DES, SSLv3, MD5, ...) suites in Java
      • [RESOLVED] "Could not find stored procedure" after installing SfB Server Updates
      • [RESOLVED] None of the network adapters are bound to the netmon driver.
      • [Resolved] No connectivity with any of Web Conferencing Edge Servers - Event 41026
      • Raspberry Pi - Connect to multiple wireless networks (WLAN) automatically
      • From 0 to Raspberry Pi (start with Raspberry Pi)
      • [RESOLVED] Exchange 2016 IIS not usable after installation from CU5
      • Microsoft Exchange 2007 reached end of life today
      • .NET Framework 4.7 released but not yet supported on Exchange 2016
      • .NET Framework 4.7 released but not yet supported on Skype for Business
      • Using Quest ActiveRoles Management Shell to add/update all users from a OU inside an AD group
      • [RESOLVED] Can´t install Office Web Apps Server because it requires .NET 4.5
      • Cumulative Update 5 for Exchange Server 2016 released
      • Using the Skype for Business device update service
      • Enable XA transactions on Microsoft SQL 2012
      • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code
      • WES7 is crashing on VMWare Workstation
      • WES7 / WES8 OS deployment issue on VMWare Workstation
      • [RESOLVED] Growing amount of missing disk space on Microsoft Exchange
      • Disabling TLS 1.0 on Microsoft Sharepoint
      • Reset the content index on an MS Exchange DAG environment
      • Deploy the Statistics Manager for Skype for Business Server
      • HowTo add own formats to the TinyMCE Editor in Joomla?
      • Create a Kerberos authentication account in Skype for Business
      • Hardening Microsoft Exchange 2016 Server
      • Hardening Microsoft SharePoint 2016 Server
      • Hardening Microsoft Skype for Business Server
      • [Workaround] "Screen presenting isn't supported with this contact" with SfB MAC
      • [RESOLVED] Black or frozen screen during screensharing in Skype for Business 2016
      • Exchange Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SfB Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SharePoint Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Hardening Skype for Business Server
      • [RESOLVED] You do not have the permission to send the message on behalf of the specified user
      • Copy Windows Installation DVD to ISO
      • [RESOLVED] The remote certificate is invalid according to the validation procedure.
      • Prevent that the Skype for Business client will open when the user click on an meeting URL
      • Test GroupPolicy (*.admx templates) locally without AD
      • Implementing the Skype for Business Call Quality Dashboard
      • Configure / Finetune the Microsoft Exchange search / indexing feature
      • Disable content indexing on all DBs on an Exchange DAG
      • HowTo: create Search Sharepoint 2013 Foundation Application via Powershell
      • Migrate from Exchange 2010 to Exchange 2016
      • Enable TLS 1.2 on Windows 2012 R2
      • Download Skype for Business for MAC
      • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size
      • How to get only a subset from a 2 GB big logfile?
      • Add the Internet Explorer 11 and Updates to a Windows 7 SP1 image
      • [RESOLVED] MSExchange Mailbox Replication error 1006 (database doesn't exist)
      • Nagios Core 3.x installation guide on Debian 8.x (Jessie)
      • Move Exchange 2010/2013 user to Exchange 2016
      • [RESOLVED]: "Whole calendar" greyed out when publishing a calendar via Outlook on a webdav server
      • SfB Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Exchange Windows OS Hardening: Disable the "X-AspNet-Version" header
      • SharePoint Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Powershell: Clean (Remove) all completed Exchange Mailbox move requests
      • HP Data Protector isn´t able to browse an Exchange 2016 DAG
      • Powershell: Get a list from all Exchange users, where the latest logon time is older then 270 days
      • Usefull links
      • Hardening Microsoft Exchange 2013 Server
      • [Solution] Skype for Business Error: This message wan´t send to Firstname LastName
      • Step-By-Step: Configuring Office Online Server with Skype for Business
      • Troubleshooting connection issues from users migrated from Exchange 2010 to Exchange 2013/2016
      • Skype for Business Server DB update needed after patch management
      • How to check the progress of the ‘Shrink Database’ task in SQL Server 2012
      • Build an MS Exchange Throttling Policy to remove inactive mobile device partnerships
      • Exchange Windows OS Hardening: Disable NTFS 8 Dot 3
      • SfB Windows OS Hardening: Disable NTFS 8 Dot 3
      • SharePoint Windows OS Hardening: Disable NTFS 8 Dot 3
      • Windows OS Hardening: Disable NTFS 8 Dot 3
      • [RESOLVED] Centralized Logging Service Agent Error while moving cache files to network share.
      • [RESOLVED] MS Web Application Proxy used with SfB caused a Error 502
      • Manage the SSL certificate on Exchange 2016 via Powershell
      • [RESOLVED] How to fix damaged or corrupt Health Mailbox on Exchange 2016
      • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"
      • Homematic IP Schalt und Steckdose mit CCU 2 verbinden / anlernen
      • Exchange 2010 to Exchange 2016 Co-Existence migration OWA redirect not working
      • Factory reset HomeMatic IP devices
      • Factory reset / Werksreset von HomeMatic IP Geräten
      • Pairing / Using Homematic IP Pluggable Switch and Meter with an CCU2
      • [Resolved] A Skype for business user isn´t able to join meeting via invitation link
      • Installation von BluePy auf dem Raspberry Pi
      • Install BluePy on Raspberry Pi
      • Released: Microsoft Exchange 2016 CU 2
      • Install OpenHAB 1.x on Raspberry Pi
      • Installieren von OpenHAB 1.x auf dem Raspberry Pi
      • Rebalance Mailbox Databases in an Exchange Server DAG via TaskManager
      • Fix a failed and suspended content index state on MS Exchange
      • Howto send an email using telnet
      • Hardening Windows Server (Basic Steps)
      • [RESOLVED] No DNS servers could be retrieved from network adapter 00000000-0000-0000-0000-000000000000
      • [RESOLVED] Setup can't use the domain controller because it belongs to Active Directory site
      • Use MS Web Application Proxy as reverse proxy (and ADFS) with Skype for business
      • [RESOLVED] Error message 0x80094004 when completing a certification request on IIS
      • [RESOLVED] Unable to collect NUMA physical memory utilization data. The first four bytes (DWORD) of the Data section contains the status code.
      • Get all Exchange user inclusive details from a list of AD groups
Admin Enclave

The Admin enclave delivers the latest news, quick tips, useful tricks, and in-depth tutorials for IT pros working with IT solutions (e.g. Microsoft Sharepoint, Microsoft Exchange, Microsoft Skype for Business, Joomla, ...).

Follow Us

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Freitag, 20. März 2020
  • Update TPM Firmware on Windows 10 1909

    Samstag, 15. Februar 2020
  • Switch your PC from BIOS to UEFI

    Dienstag, 07. Januar 2020
  • WLAN 6 (AX) released

    Montag, 23. September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Samstag, 23. März 2019

Popular Posts

  • How to fix “The program can’t start because MSVCR110.dll is missing from your computer.” error on Windows

    Sonntag, 07. April 2013
  • [RESOLVED] You do not have the permission to send the message on behalf of the specified user

    Mittwoch, 16. November 2016
  • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size

    Donnerstag, 13. Oktober 2016
  • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code

    Mittwoch, 08. März 2017
  • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"

    Mittwoch, 13. Juli 2016
© 2012 - 2021 admin-enclave.com | Disclaimer | Privacy Policy | Imprint | Articles by year