Direkt zum Hauptbereich

How To Renew Exchange Server 2010 Certificates


I am sure a lot of you have found these posts helpful. All of these posts however did not talk about the certificates issued by public CAs. I thought it would be even more helpful to put up a separate post that would talk more about the certificate renewal process in Exchange 2010 which indeed would cover few steps for Exchange 2007 certificate renewals as well.
If you run through the Exchange 2010 EMC and Certificate Management posts you would know how it really works when you are preparing, requesting and assigning a new certificate to your Exchange 2010 CAS and HT servers but these posts do not talk about renewal of the certificates once you assign them and they are just about to expire :-O
A little bit of stuff that you may or you may not know:
Whenever you work with certificates on an exchange server role installed on any OS, you are dealing with the local computer certificate stores on the at OS which is easily accessible by using Start—> Run –> MMC –> Add/Remove Snap In –> Certificates –> Local Computer. Just take a look at the local computer’s Personal certificate store and you wouldn’t be surprised to see these certificates in there. The only reason I wanted to bring this point here in this post because you may really need to run through this sometimes if you experience something that was mentioned in one of previous posts Missing Private Key on Exchange Certificate
So let’s have a look at what is it and how to do it!
GUI:
Just like above linked two posts talking about how to manage the exchange certificates using GUI, you need to locate the certificate that you need to renew in EMC. Right click on the certificate and select Renew
 
Provide the path in the wizard that appears which will save you a .req file. Once you have completed the wizard you are ready to use this .req file to be supplied to any certification authority that supports  your request. The reason I said ‘any CA that supports your request’ is because, some CAs do not support SAN extensions supplied in the request.
Once you supply the contents of the file generated above your CA will provide you a certificate that can be imported here. To import a certificate using GUI follow steps mentioned in Exchange 2010 EMC and Certificates Management Part – 2
Powershell:
We have a lot of powershell lovers by now and they feel powershell is much easier than GUI sometimes. For all of those
Find the certificate you need to renew using Get-ExchangeCertificate
Copy the certificate thumbprint and run following command to generate the CSR
Get-ExchangeCertfiicate -Thumbprint <Thumbprint> | Renew-ExchangeCertificate -GenerateRequest:$True -PrivateKeyExportable:$True
The above command displays the CSR that you need to be supplied to the CA. Copy the CSR and paste it to the CA interface.
Once you have downloaded the certificate issued by the CA use below command to import it. You need to make sure that you have not removed the certificate request generated by your last operation using EMC or powershell. This will lead you to another situation where you wouldn’t be able to import the certificate.
Import-ExchangeCertificate  -FileData ([Byte[]]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.cer -Encoding Byte -ReadCount 0))
If you have recieved your certificate in .pfx format then use
Import-ExchangeCertificate  -FileData ([Byte[]]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.pfx -Encoding Byte -ReadCount 0)) -Password:(Get-Credential).Password
And the final stage is to enable it for the services
Enable-ExchangeCertificate -Thumprint <Thumbprint> -Services IIS,IMAP,POP
Same procedure applies to Hub Transport Server Role certificate renewal as well but the Edge Transport Server Role. To manage certificates on the Edge Transport Server Role  you must be logged on the server and use powershell.
After you have renewed certificate on an edge transport server, you need to resubscribe it to the site since the subscription contains the certificate information in it too. Read more about Edge Transport here

Kommentare

Beliebte Posts aus diesem Blog

Microsoft Office 2013 aktivieren via Kommandozeile

Wie man das neue Microsoft Office 2013 aktiviert via Kommandozeile, das werde ich euch in dem folgenden Beitrag Schritt für Schritt erklären. Gerade in grösseren Systemumgebungen in welchen die Clients und Standard Software automatisiert installiert werden, kann das sehr hilfreich sein und erspart einem viel Arbeit nach der Installation des Clients. Das Ziel sollte sein, möglichst viel zu automatisieren und soweit möglich, wenig noch händisch zu konfigurieren. Da kommt dieser Beitrag sicherlich nicht ungelegen. Die folgenden Befehle könnte man beispielsweise ganz einfach in eine MDT (Microsoft Development Toolkit) Umgebung mit einbeziehen oder auch mit anderer Software benutzen. Wichtig zu wissen ist, dass dies nur dann funktioniert, wenn Microsoft Office 2013 über das Internet aktiviert wird. Hat man einen eigenständigen Aktivierungsserver (KMS), funktioniert dies nicht. Zudem müssen die Befehle alle mit Administrator Rechte ausgeführt werden. Normale Benutzerberechtigungen genügen …

Windows Domain Controller: Es sind momentan keine Anmeldeserver zum Verarbeiten der Anmeldeanforderung verfügbar

Zurzeit häuft sich (warum auch immer) das Problem dass nach einem Neustart eines Windows Domain Controllers bei der Anmeldung die Fehlermeldung „Es sind momentan keine Anmeldeserver zum Verarbeiten der Anmeldeanforderung verfügbar“ kommt und eine Anmeldung so nicht möglich ist Das Problem ist hierbei das der Domain Controller im Active Directory Reperatur Modus (Abgesicherter Modus) startet. Am einfachsten lässt sich dieses Problem folgendermaßen beheben: 1) Anmeldung mit dem DSRM (Directory Services Restore Mode) / Verzeichnisdienstwiederherstellungskennwort Falls die Anmeldung nicht funktioniert kann man einen Workaround wie hier beschrieben durchführen. 2) Systemkonfiguration mittels msconfig.exe aufrufen

WSUS won’t uninstall or re-install

Hat heute ein Problem mit WSUS unter Windows Server 2008 R2 bei einem Kunden. Das Problem - die Clients konnten keinen Verbindung zum WSUS Server herstellen. Die Deinstallation wurde unerwartet beenden mit folgender Fehlermeldung: Attempt to un-install Windows Server Update Services failed with error code 0x80070643. Fatal error during installation  Die Lösung: I don’t like Windows Server Update Services (WSUS), but it’s the free alternative many companies select over the higher cost alternatives like Intune or Systems Center. So, today I had to repair a damaged WSUS installation. Turns out someone uninstalled SQL Server 2005 Express not realizing WSUS was using it. Now firing up the WSUS console just yielded an error complaining about the missing SQL database. So like any good troubleshootin IT guy the first thing I tried was to uninstall WSUS…sadly, however the product would not uninstall or re-install. Here’s how I finally got rid of it: [the problem] WSUS 3.0 SP2 is missing SQL serv…