Tuesday, June 9, 2009

[Exchange 2007] Renewing the self signed cert

Yesterday's article covered the renewal of your external certificate, today's article covers the Exchange 2007 Internal "Self Signed" SSL cert (that is if you use it).

Same note as my previous article, I've only tested this on an Exchange 2007 SP1 server running Windows 2003 R2 - your results may vary depending on your actual configuration.

First and foremost you'll want to confirm you actually have a self signed certificate.

The easiest way to do so is by issuing the following powershell command from any exchange server.

Get-ExchangeCertificate | fl

This will display your certificate information. You can also prefer to save this command to a text file if you prefer to read it.

Get-ExchangeCertificate | fl | out-file -filePath c:\CurrentCerts.txt

What you are looking for is something like this:

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {servername001, servername001.company.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=servername001
NotAfter : 4/15/2009 12:59:24 PM
NotBefore : 4/15/2008 12:59:24 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 62E76E7A954F1C3B4E7591CB15C9A01C
Services : SMTP
Status : Valid
Subject : CN=servername001
Thumbprint : D23F47CE57ECE6CFC04D08AB443810F03DADABA2

The key here is Issuer: CN=servername001 this shows you that the cert is self issued (i.e. not from Verisign).

If you have an external Certificate as well you will see two entries, it's safe to ignore the external cert for this process. You should also note the services that your self signed cert is being used for (in the example above it's being used simply for SMTP).

Now for the renewal process. Equipped with the thumbprint from your self signed cert in the previous step issue the following command:

Get-ExchangeCertificate -thumbprint [old self signed certificate thumbprint] | New-ExchangeCertificate

Using our example above, our exact command would be:

Get-ExchangeCertificate -thumbprint D23F47CE57ECE6CFC04D08AB443810F03DADABA2 | New-ExchangeCertificate

If you use the cert for SMTP like we do you will be prompted with something like this:

Confirm Overwrite existing default SMTP certificate,
'D23F47CE57ECE6CFC04D08AB443810F03DADABA2' (expires 4/15/2009 12:59:24 PM), with certificate 'D32C21BE75ECE6CFC32F80BA218501D33BF3AB7F' (expires 6/9/2009 5:59:24 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):

You will want to click Y for Yes.

Your new cert has been issued... But we are not quite done yet.

Now if you want to use this same certificate for any other roles you will want to enable it for those roles by default it should have enabled the certificate for the roles the old cert used minus IIS - for some reason IIS needs to be manually enabled using the following command:

Enable-ExchangeCertificate -thumbprint [new self signed cert thumbprint] -services IIS

using our example above:

Enable-ExchangeCertificate -thumbprint D32C21BE75ECE6CFC32F80BA218501D33BF3AB7F -services IIS

If you don't know the new cert thumbprint (from the confirm screen above) - just reissue a Get-ExchangeCertificate | fl command to see the certificates and find the new one (expires a year from now).

Give everything a test, make sure everything is working with the new certificate, then remove your old expired (or soon to expire) self signed certificate.

Remove-ExchangeCertificate -thumbprint [old self signed certificate thumbprint]

Simple as that.

No comments:

Post a Comment