Renewing Certificate in a Hybrid Exchange On-Premises Environment (Concern of the SMTP Service)

Scenario: The third-party certificate is expiring and needs to be renewed on multiple Exchange On-Premises server that hosts IIS, SMTP, POP, and IMAP. There is concern about the hybrid components for successful SMTP Routing between Exchange On-Premises and Exchange Online since we are moving the SMTP Service to a different certificate.

Solution: The components below will walk you through creating the renewal and the components to look at:

1. Create a Cert request off of the expiring Cert Req (and then hand off to third party cert provider)

$ExpiringCert = "<thumbprint of cert>"
$Req = "\\ExServer\c$\temp\cert\CertRenewal.req"
$Server = "ExServer"

#Run the command to get the .req
$txtrequest = Get-ExchangeCertificate -Thumbprint $ExpiringCert -server $Server | New-ExchangeCertificate -GenerateRequest -privatekeyexportable:$true

[System.IO.File]::WriteAllBytes($req, [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

2. Complete the Pending Exchange Server Request (After downloading the cert from the third party vendor)

$server = "ExServer"
$Renewed_Cert = "\\ExServer\c$\temp\cert\NewCert.crt"
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($Renewed_Cert))  -Server $Server  -privatekeyexportable:$true 

3. Export the new cert (pfx) package so it contains the private and public key/components

$c = "<new cert thumbprint"
$Password = "Batman"
$PFX =  "\\ExServer\c$\temp\cert\NewCert.pfx"
$server = "ExServer"

$cert = Export-ExchangeCertificate -Thumbprint $c -BinaryEncoded -Password (ConvertTo-SecureString -String $Password -AsPlainText -Force) -server $server
[System.IO.File]::WriteAllBytes($PFX, $cert.FileData)

4. Import the Certificate onto multiple servers

$ExchangeServers = get-exchangeserver
$Password = "Batman"
$ | %{
"Running on $_"
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($PFX)) -Password (ConvertTo-SecureString -String $Password -AsPlainText -Force) -server $_

5. Moving Services

      $New_Thumbprint = "<new cert thumbprint>"
      $ExchangeServers = Get-exchangeserver

 #Enable the IMAP,POP,IIS,and SMTP Services to the new cert
 $ | %{
     "Enabling Services on $_"
     Enable-Exchangecertificate -thumbprint $New_Thumbprint -server $_ -services IMAP,POP,IIS,SMTP -confirm:$false -force

6. Restarting Each Service

$ExchangeServers = Get-exchangeserver      

#Restart the Services for IIS, IMAP, POP, and SMTP 
$ | %{
   "Restarting IIS on $_"
   iisreset $_

   "Restarting MSExchangeTransport on $_"
   Get-Service msexchangetransport -ComputerName $_ | Restart-service

   "Restarting IMAP and POP on $_"
   Get-Service msexchangeimap* -ComputerName $_ | Restart-service
   Get-Service msexchangepop* -ComputerName $_ | Restart-service

7. Check Outbound Connector in Exchange Online

#Notes: Our Subjectname didnt change, so we didnt have to do anything here

#Validate "Outbound_To_OnPremises" is configured with the subjectname in the Certificate/SAN

#Log into EAC --> Mail Flow --> Connectors --> Select the "<Outbound_To_OnPremises>" connector --> Edit "Security Restrictions" section if necessary.  The value should reflect a domain name or another identifiable piece of info in the new cert'.

8. Check Exchange On-Premises Receive Connectors

#Notes: We had to fix this one because the new $TLSCert was different than the TLSCertificateName on each Receive Connector; each connector still referenced the original cert.  Fixed by:  Set-ReceiveConnector "$_\Default Frontend $_" -tlsCertificateName $TLSCert

$New_Thumbprint = "<new cert thumbprint>"
$New_Cert = Get-ExchangeCertificate -Thumbprint $New_Thumbprint -server "ExServer"
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
$ReceiveConnectors = @()

#Check the TLSCertificateName on all Receive Connectors and compare to $TLSCert
$ | %{$ReceiveConnectors += Get-ReceiveConnector "$_\Default Frontend $_" | Select Identity, TLSCertificateName}

#To fix:    
$ | %{Set-ReceiveConnector "$_\Default Frontend $_" -tlsCertificateName $TLSCert}

9. Check the Exchange On-Premises Transport Service

#Notes: This should be done automatically

$ExchangeServers = Get-exchangeserver   
$TransportService_Cert = @()

#$ | %{$TransportService_Cert +=  get-transportservice $_  |Select Name,InternalTransportCertificateThumbprint}; $TransportService_Cert

10. Check the Exchange On-Premises Hybrid Send Connector “<Outbound to Office 365>”

#Notes: You may need to set this

$SC = "Outbound to Office 365"
$New_Thumbprint = "new cert thumbprint"
$New_Cert = Get-ExchangeCertificate -Thumbprint $New_Thumbprint -server "ExServer"
$New_TLSCertificateName = (‘<I>’+$New_Cert.issuer+'<S>’+$New_cert.subject)

#Verify the TLSCertificateName on the SendConnector
$SendConnector_TLSCertificateName = Get-SendConnector -identity  $SC | Select TLSCertificateName

#Does the $SendConnector_TLSCertificateName match the NEW_TLSCertificateName? If Not, you may need to run the following:
Set-SendConnector "Outbound to Office 365"  -TlsCertificateName $New_TLSCertificateName

11. Check the ExOnline Inbound Connector “Inbound from …”

#Notes: We did need to fix this

$New_Thumbprint = "<thumbprint of new cert>"
$New_Cert = Get-ExchangeCertificate -Thumbprint $New_Thumbprint -server "ExServer"
$New_TLSCertificateName = (‘<I>’+$New_Cert.issuer+'<S>’+$New_cert.subject)

#Set the Inbound Connector with the $New_TLSCertificateName value of the new Cert
  #Connect to Exchange Online PowerShell or the EAC GUI
  #If PowerSHell:
        $ExOnline_TLSSenderCertificateName = Get-InboundConnector "Inbound from ..." | Select TLSSenderCertificateName

#If GUI: Log into EAC --> Mail Flow --> Connectors --> Select the "Inbound from ..." connector --> Edit the "How to identify email sent from your email server" section. 

#To Fix:
#PowerShell: set-InboundConnector "Inbound from ..." -TlsSenderCertificateName $New_TLSCertificateName
#EAC:  Edit the "How to identify email sent from your email server" section with the #New_TLSCertificateNameValue


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: