Wednesday, 21 March 2012

Renewing a self signed SSL Certificate in Exchange 2007

Ok, so I've actually seen this problem so many times now it's unreal and people are always asking me how to fix it because most other guides on the net make it look way to complicated to properly comprehend. So, here goes. This is how I renew an Exchange 2007 SSL Certificate when you get the notice in Outlook it has expired. N.B - The process for renewing through a verified authority like GoDaddy / 123 Reg is not discussed here.

First thing you'll need to do is logon to your SBS 2008 (Ex2K7) box as the domain administrator and open the Microsoft Exchange Management Shell.

Type the following command:  Get-ExchangeCertificate - This will list all of your existing certificates by Thumbprint and CN (Common Name).

You'll need to know the CN, if you're unsure match it to the certificate error being presented in Outlook. History tells me it's normally the that controls the Ex Cert on SBS.

Now, using the identified Thumbprint of the certificate you require use the following command. (Important that you use the Pipe command to run this all in one.)
Get-ExchangeCertificate –Thumbprint 12345678900000000000000000000000000123456 | New-ExchangeCertificate
Press Y to the overwrite certificate, this doesnt actually overwrite anything. It essentially just sets this new Certificate as the default.

Now, we're nearly there. In the above process you are given a new Thumbprint for your newly renewed SSL Cert. This is the thumbprint we'll be using moving forward.

All you have to do now is enable the SSL Certificate for the services you are going to be using it for. If you're unsure just use the four most common (Particularly on SBS). SMTP, IIS, POP, IMAP.

To do this run the following:
Enable-ExchangeCertificate –Thumbprint 12345678900012345600000012345600000123456 –Services IIS

Enable-ExchangeCertificate –Thumbprint 12345678900012345600000012345600000123456 –Services SMTP

Enable-ExchangeCertificate –Thumbprint 12345678900012345600000012345600000123456 –Services POP

Enable-ExchangeCertificate –Thumbprint 12345678900012345600000012345600000123456 –Services IMAP

I like to do it step by step to make sure it works ok but you can run this command all integrated by seperating the below out with commas. ie. Services IIS, POP, SMTP, IMAP. Sometimes you get a warning on the SBS about another cert taking precendence on TLS connections, again nothing to worry about.

Now test your SSL Certificate, it should all be working and renewed for another year. You can verify the next renewal date by typing:
Get-ExchangeCertificate -Thumbprint 12345678900012345600000012345600000123456 |fl

Last but not least when you are happy it's all working again. Simply remove the old cert by typing:
Remove-ExchangeCertificate -thumbprint 12345678900000000000000000000000000123456
Remember to use the previous thumbprint not the newly created one.

Hopefully that helps a few people and makes this process that at first glance looks terrifying to actually become fairly simple...

Did I solve your problem? Buy me a virtual beer by clicking on a Google ad :). Thanks!

1 comment:

  1. Nice Post! it's helped to creating our self signed SSL certificate for testing.