Issue:
You get the following warning message/alert in the console on your MS server:
An internal transport certificate will expire soon. Thumbprint:D173AB7251C42F5EA9E846C1BDC4BDA1BCB033A9, hours remaining: 477
or
The STARTTLS certificate will expire soon: subject: myserver.mydomain.local, hours remaining: 115510939E1B73335E551B323AAF08AB76542FDB1. Run the New-ExchangeCertificate cmdlet to create a new certificate.
Solution:
You either need to renew the self-cert or install the new commercial certificate.
1. Start the Exchange Management Shell program.
Start --> Microsoft Exchange Server 2010 --> Exchange Management Shell
2. At the PS prompt, enter the following to list all the certs (both self-signed and commercially bought ones.)
[PS] Get-ExchangeCertificate | List
Look for a few important lines:
CertificateDomains : {remote.mydomain.com, mydomain.com, EXCH2.TCC.local}
...
IsSelfSigned : False
...
NotAfter : 3/7/2011 6:02:01 PM
...
Services : IMAP, POP, SMTP
...
Thumbprint : D173AB7251C42F5EA9E846C1BDC4BDA1BCB033A9
The domains tell us what domains need to be included in the new certificate.
The IsSelfSigned tells us if we are currently using a self certified certificate or now.
The NotAfter tells us when we better do this by.
The Services tells us what services are affected if this expires.
The thumbprint is the unique key for the certificate, which should match the one in the alert, too.
3. We need to install the new certificate files if commercial. If self-certified, you can simply just have the server regenerate.
Self - Certified Instructions:
1. If self-certified, we can create a new certificate and overwrite/replace the existing one for the Exchange SMTP service, with:
a. [PS] New-ExchangeCertificate
b. [PS] Answer y, to Confirm.
c. [PS] Rerun the Get-ExchangeCertificate | List command, and you should see the SMTP one updated. Note the new Thumbprint identifier for the new certificate, you can use this to update the other protocols. In other words, you still have to replace other ones.
example: Thumbprint :E999AB7251C42F5EA9E846C1BDC4BEA1BCB099A9
2. Now we need to tell IIS, to use this new certificate.
[PS] Enable-ExchangeCertificate -Thumbprint E999AB7251C42F5EA9E846C1BDC4BEA1BCB099A9 -Service SMTP,IIS,IMAP,POP
3. Now repeat for any other protocol using it's service.
4. Now remove the old certifiers via their Thumprint after you confirm they are not used anymore:
[PS] Remove-ExchangeCertificate -Thumbprint D173AB7251C42F5EA9E846C1BDC4BDA1BCB033A9
Commercial / Paid Certificate Instructions/Notes
1. Create a new request via the Exchange Management shell:
[PS] New-ExchangeCertificate -generaterequest -subjectname "c=United
States, l=City, s=ST, o=MYDOMAIN,cn=myserver.mydomain.com" -domainname
MYDOMAIN.local,exchange02.DOMAIN.local,remote.MYDOMAIN.com,autodiscover.MYDOMAIN.com
-PrivateKeyExportable $true -path D:\Data\Scripts
\certrequest.txt{\rtf1}
Notes:
Substitute MYDOMAIN with your domain and update the domain names to fit your environment.
This is assuming you are buying a multidomain certificate from a SSL reseller.
SMTP can only do the first/main common name, so make sure it is listed first in the certificate request.
2. Go to your vendors web site, and pay for the SSL certificate. Go through the process and you should end up with a file containing you new certificatate along with any intermediary, or root ones.
3. Import the new certs starting with the top level down. (e.g. root, intermediary(s), and then your new certificate)
a. Import the certificate(s):
[PS] Import-ExchangeCertificate -path "c:\temp\pathtocerts.crt"
b. Get the list, confirm it's there and copy/mark the Thumprint:
[PS] Get-ExchangeCertificate | List
Lets assume the thumbprint returned is: E999AB7251C42F5EA9E846C1BDC4BEA1BCB099A9
c. Enable the new certificate for all the services desired:
[PS] Enable-ExchangeCertificate -Thumbprint E999AB7251C42F5EA9E846C1BDC4BEA1BCB099A9 -Service SMTP,IIS,IMAP,POP
d. Confirm the certificate was enabled for the services designated:
[PS] Get-ExchangeCertificate | List
Also note the old certificate(s) to remove that have expired or about to expire.
e. Remove the old ones, lest they nag you forever:
[PS] Remove-ExchangeCertificate -Thumbprint D173AB7251C42F5EA9E846C1BDC4BDA1BCB033A9
Notes:
If you leave the old self certified ones, supposedly it's fine as the paid for ones will take precedence for the services listed. However, in our experience we still get alert/error messages when they near or pass expiration. So removing old ones is how we get rid of the annoying messages. After you add a new certificate and remove the old ones, you need to restart the affected services or the whole server for the new certificates to take effect.
previous page
|