Tutorial on how to manage Exchange Certificate with PowerShell
Manage Exchange Certificate with PowerShell
Open PowerShell ISE in Exchange 2016 Server to connect to Exchange Management Shell
#Connect to Exchange 2016 in PowerShell ISE
. 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'
Connect-ExchangeServer -auto
Connect to Remote PowerShell Session in Exchange 2016 Server with Basic Authentication Enabled in IIS
$Username = "lab\administrator"
$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -Force -AsPlainText
$URL = "https://mail.aventislab.com/powershell"
#Specify Credential with password
$Credential = new-object -typename System.Management.Automation.PSCredential -ArgumentList $UserName,$Password
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $URL `
-Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $Session
New Exchange Certificate
Generate Certificate Signing Request (CSR) for wildcard domain – *.aventis.dev with PrivateKeyExportable and save it to C:\Temp\CSR.req on Exchange 2016 Server
$RequestFile = "C:\Temp\CSR.req"
$SubjectName = "C=MY, O=AVENTIS, CN=*.aventis.dev"
$DomainName = "*.aventis.dev"
New-ExchangeCertificate -GenerateRequest -RequestFile $RequestFile -SubjectName $SubjectName -DomainName $DomainName -PrivateKeyExportable $true
Generate a SSL Certificate from Microsoft CA Server (http://10.10.10.180/certsrv) by click on Request a Certificate in our lab, or generate the SSL Certificate from Public Trusted SSL Provider (Recommender) based on the intrusions provided
Click Advanced Certificate Request
Paste the content in C:\Temp\CSR.req to Saved Request and Select Web Server as Certificate Template
Select Base 64 Encoded and click Download Certificate to save it as C:\Temp\AventisDev.cer
Import the SSL Certificate to Local Computer Store
Import-Certificate -FilePath C:\Temp\AventisDev.cer -CertStoreLocation Cert:\LocalMachine\My
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
6AC6B7271DB0D48F510BF83CE8A44E7A269D265D CN=*.aventis.dev, O=AVENTIS, C=MY
Verify the new SSL Certificate is availble in Exchange 2016 Server
Get-ExchangeCertificate | ? Subject -like "CN=*.Aventis.Dev*" | Select ThumbPrint, Services, Status, Subject, Issuer
Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...
Thumbprint : 6AC6B7271DB0D48F510BF83CE8A44E7A269D265D
Services : None
Status : Valid
Subject : CN=*.aventis.dev, O=AVENTIS, C=MY
Issuer : CN=lab-LAB-AD01-CA, DC=lab, DC=local
Assign the new SSL Certificate to IIS & SMTP Services – Refer to Assign certificates to Exchange Server services for more detail
Enable-ExchangeCertificate -Thumbprint 6AC6B7271DB0D48F510BF83CE8A44E7A269D265D -Services SMTP,IIS
Login to https://mail.aventis.dev to verify the new SSL Certificate is in used now
Export SSL Certificate In PFX Format
Export the Wildcard SSL Certificate to C:\Temp\INTERNAL-AventisDev.pfx with password protected
$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -Force -AsPlainText
Get-ChildItem -Path cert:\localMachine\my\6AC6B7271DB0D48F510BF83CE8A44E7A269D265D | Export-PfxCertificate -FilePath C:\Temp\INTERNAL-AventisDev.pfx -Password $Password
Import the PFX to the remaining of Exchange 2016 Servers and verify the IIS & SMTP Services are assigned to use this new SSL Certificate
$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -Force -AsPlainText
Import-PfxCertificate -FilePath C:\Temp\INTERNAL-AventisDev.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
Renew SSL Certificate
List Exchange Certificate which is going to expired in 30 days
$Expired_In_30_Days = (Get-Date).AddDays(30)
Get-ExchangeCertificate | ? {$_.NotAfter -le $Expired_In_30_Days -and $_.issuer -like "*COMODO*"} | Select Subject, @{n="Expires";e={'{0:dd/MM/yyyy}' -f $_.NotAfter}} ,
@{n='IssuedBy';e={($_.Issuer.split("=,")[1])}}
Output
Subject Expires IssuedBy
------- ------- -------
CN=*.aventislab.com 18/10/2020 COMODO RSA Domain Validation Secure Server CA
Create a new CSR with the Certificate Thumbprint
$ThumbPrint = (Get-ExchangeCertificate | ? {$_.NotAfter -le $Expired_In_30_Days -and $_.issuer -like "*Let's*"}).ThumbPrint
$Path = "\\10.10.10.182\c$\temp\CSR2020.req"
Get-ExchangeCertificate -Thumbprint $ThumbPrint | New-ExchangeCertificate -GenerateRequest -RequestFile $Path
Output
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEGzCCAwMCAQAwXTEhMB8GA1UECwwYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVk
-----END NEW CERTIFICATE REQUEST-----
Verify the Status of the New SSL Certificate requested in in PendingRequest in Exchange 2016 or above
Get-ExchangeCertificate | Select Subject, Status
Subject Status
------- ------
CN=*.aventislab.com PendingRequest
Obtain the new SSL Certificate with the CSR generated from COMODO Portal and save it as C:\Temp\AventisLab.crt on the Exchange Server where the CSR is generated from.
Import the SSL Certificate to Local Computer
Import-Certificate -FilePath "C:\TEMP\AventisLab.crt" -CertStoreLocation Cert:\LocalMachine\My
#Verify the SSL Certificate is imported to Exchange 2016
Get-ExchangeCertificate | ? Subject -like "CN=*.AventisLab*" | Select ThumbPrint, Services, Status, Subject, Issuer
Thumbprint : 6AC6B7271DB0D48F510BF83CE8A44E7A269D265D
Services : None
Status : Valid
Subject : CN=*.aventislab.com, O=AVENTIS, C=MY
Assign IIS & SMTP to the new SSL Certificate
Enable-ExchangeCertificate -Thumbprint 6AC6B7271DB0D48F510BF83CE8A44E7A269D265D -Services IIS,SMTP
Login to Webmail to verify the new SSL Certificate is in used now.