Search This Blog

Thursday, 30 September 2010

Renew Exchange 2007 SSL Certificate

Once your Exchange 2007 SSL Certificate is due for renewal you will need to perform the renewal process, this is slightly complex and requires the right steps to be taken.

1. First you need to request the new certificate from Exchange to generate the CSR that is needed for your SSL Provider. I use as they have a nice wizard to generate the Exchange 2007 Shell command for you. In my instance I used this Shell command to generate my certificate

New-ExchangeCertificate -GenerateRequest -Path c:\ -KeySize 2048 -SubjectName "c=GB, s=West Midlands, l=Birmingham, o=My Company Limited," -DomainName server, server.mydomain.local, -PrivateKeyExportable $True

This now creates the CSR file you can send to the SSL provider for processing.

2. Once you have received your new SSL certificate you need to replace the expired or close to expired SSL certificate on your Exchange Server. You next need to run the Exchange Shell command

Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt

This will output your existing certificates to a text file you can read, open the file and find the certificate with the "Not After" date that is the expiry date of your certificate. Make a note of the thumbprint information and copy this to the clipboard.

3. Next you will remove the existing certificate with the command below and the thumbprint information on the clipboard

Remove-ExchangeCertificate –thumbprint

Confirm you want to remove the certificate.

4. Now you can import your new Certificate from the CER file supplied by your SSL Provider

Import-ExchangeCertificate -path e:\certificates\owa.cer –FriendlyName “”

This will output the Thumbprint for the next Certificate and you need to make a note of this long file information.

5. You now need to enable the certificate for use in Exchange 2007 with the command

Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS

Replace the Thumbprint with the Thumbprint from your previous notes.

6. The Certificate is installed and enabled now, you can run the command


This will show you the certificate and that it is enabled for Web Access with the "W" in the Services section.

No comments:

Post a Comment