Updating Exchange Server Certificates

Microsoft Exchange is one of the applications that's installed on almost every company's IT infrastructure and as all applications should, it uses SSL to secure network communications. SSL uses certificates and sooner or later they all expire.

Below is the process I usually follow when updating the certificates on multiple servers. We'll start by creating a variable that will hold the thumbprint of the new certificate:

$newCertificateThumbprint = "3A5F93553E8346618131DA97CAE6E3962C266608"

Then we are going to copy the pfx file to all the servers:

$servers = Get-MailboxServer | % Name | Sort-Object

$servers |
    %{
        $destination = '\\' + $_ + '\c$\Temp\'

        Copy-Item -Path "C:\Temp\Cert\Certificate2019.pfx" -Destination $destination -Verbose
    }

Now that the pfx is available on all servers, we are going to import it to the local computer certificate store using the below command:

Invoke-Command -ComputerName $servers `
               -ScriptBlock {

                    $path = "C:\Temp\Certificate2019.pfx"
                    $password = 'ThePFXPassword' | ConvertTo-SecureString -AsPlainText -Force

                    Import-PfxCertificate -FilePath $path `
                                          -Exportable:$true `
                                          -Password $password `
                                          -CertStoreLocation Cert:\LocalMachine\My `
                                          -Confirm:$false


                }

Moving on to the Exchange part, we have to enable the certificate on the Exchange services. In case this is a wildcard certificate, the TlsCertificateName property of the Client Frontend receive connector - and/or any other client facing connector - has to be configured like below.

# Enable the certificate
$servers |
    %{
        Enable-ExchangeCertificate -Thumbprint $newCertificateThumbprint `
                                   -Services "SMTP,IIS,IMAP,POP" `
                                   -Confirm:$false `
                                   -Server $_ `
                                   -Force
    }

# Configure the receive connectors
$cert = Get-ExchangeCertificate -Thumbprint $newCertificateThumbprint
$servers |
    %{
        $receiveConnector = $_ + '\Client Frontend ' + $_
        $tls = "<i>$($cert.Issuer)<s>$($cert.Subject)"

        Set-ReceiveConnector -Identity $receiveConnector -TlsCertificateName $tls -Confirm:$false
    }

Finishing up the process, we have to remove the PFX file from the servers:

# Remove the certificate file
Invoke-Command -ComputerName $servers `
               -ScriptBlock {

                    $path = "C:\Temp\Certificate2019.pfx"
                    
                    Remove-Item -Path $path -Force -Verbose
                }

To verify that the new certificate is property configured and used for web, SMTP and IMAP connections, you can use the below commands:

# Check the active iis certificate
$servers |
    %{
        $currentCert = Get-HTTPCertificate -Server $_ -Port 443

        if($currentCert.hash -ne $newCertificateThumbprint)
        {
            Write-Host "Wrong HTTP certificate on $_" -ForegroundColor Red
        }
    }

# Check the active SMTP certificate
$servers |
    %{
        $currentCert = Get-SMTPCertificate -Server $_ -Port 25

        if($currentCert.hash -ne $newCertificateThumbprint)
        {
            Write-Host "Wrong SMTP certificate on $_" -ForegroundColor Red
        }
    }

# Check the active IMAP certificate
$servers |
    %{
        $currentCert = Get-IMAPCertificate -Server $_ -Port 993

        if($currentCert.hash -ne $newCertificateThumbprint)
        {
            Write-Host "Wrong IMAP certificate on $_" -ForegroundColor Red
        }
    }

Although the above commands change the certificate on all servers, you should consider updating groups of servers and test the certificate before updating all your servers.

Moreover, in case the new certificate is not issued by the same authority, you should install the root and intermediate authority certificates on all your clients and servers and make sure they are able to reach the CRL location for your certificate and the also intermediate one.

Good luck!

Popular posts from this blog

Syslog Message Collection for OMS from sources that do not support the agent

Generating Alerts On OMS

How to Configure Message Forwarding on a Mailbox Level