Scenario: The third-party certificate is expiring and needs to be renewed on multiple Exchange On-Premises server that hosts IIS, SMTP, POP, and IMAP. There is concern about the hybrid components for successful SMTP Routing between Exchange On-Premises and Exchange Online since we are moving the SMTP Service to a different certificate.
Solution: The components below will walk you through creating the renewal and the components to look at:
1. Create a Cert request off of the expiring Cert Req (and then hand off to third party cert provider)
#Variable
$ExpiringCert = "<thumbprint of cert>"
$Req = "\\ExServer\c$\temp\cert\CertRenewal.req"
$Server = "ExServer"
#Run the command to get the .req
$txtrequest = Get-ExchangeCertificate -Thumbprint $ExpiringCert -server $Server | New-ExchangeCertificate -GenerateRequest -privatekeyexportable:$true
[System.IO.File]::WriteAllBytes($req, [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
2. Complete the Pending Exchange Server Request (After downloading the cert from the third party vendor)
#Variable
$server = "ExServer"
$Renewed_Cert = "\\ExServer\c$\temp\cert\NewCert.crt"
$Renewed_Cert
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($Renewed_Cert)) -Server $Server -privatekeyexportable:$true
3. Export the new cert (pfx) package so it contains the private and public key/components
#Variables
$c = "<new cert thumbprint"
$Password = "Batman"
$PFX = "\\ExServer\c$\temp\cert\NewCert.pfx"
$server = "ExServer"
$cert = Export-ExchangeCertificate -Thumbprint $c -BinaryEncoded -Password (ConvertTo-SecureString -String $Password -AsPlainText -Force) -server $server
[System.IO.File]::WriteAllBytes($PFX, $cert.FileData)
4. Import the Certificate onto multiple servers
$ExchangeServers = get-exchangeserver
$Password = "Batman"
$ExchangeServers.name | %{
"Running on $_"
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($PFX)) -Password (ConvertTo-SecureString -String $Password -AsPlainText -Force) -server $_
}
5. Moving Services
#Variables
$New_Thumbprint = "<new cert thumbprint>"
$ExchangeServers = Get-exchangeserver
#Enable the IMAP,POP,IIS,and SMTP Services to the new cert
$ExchangeServers.name | %{
"Enabling Services on $_"
Enable-Exchangecertificate -thumbprint $New_Thumbprint -server $_ -services IMAP,POP,IIS,SMTP -confirm:$false -force
}
6. Restarting Each Service
#Variables
$ExchangeServers = Get-exchangeserver
#Restart the Services for IIS, IMAP, POP, and SMTP
$ExchangeServers.name | %{
"Restarting IIS on $_"
iisreset $_
"Restarting MSExchangeTransport on $_"
Get-Service msexchangetransport -ComputerName $_ | Restart-service
"Restarting IMAP and POP on $_"
Get-Service msexchangeimap* -ComputerName $_ | Restart-service
Get-Service msexchangepop* -ComputerName $_ | Restart-service
}
7. Check Outbound Connector in Exchange Online
#Notes: Our Subjectname didnt change, so we didnt have to do anything here
#Validate "Outbound_To_OnPremises" is configured with the subjectname in the Certificate/SAN
#Log into EAC --> Mail Flow --> Connectors --> Select the "<Outbound_To_OnPremises>" connector --> Edit "Security Restrictions" section if necessary. The value should reflect a domain name or another identifiable piece of info in the new cert'.
8. Check Exchange On-Premises Receive Connectors
#Notes: We had to fix this one because the new $TLSCert was different than the TLSCertificateName on each Receive Connector; each connector still referenced the original cert. Fixed by: Set-ReceiveConnector "$_\Default Frontend $_" -tlsCertificateName $TLSCert
#Variables:
$New_Thumbprint = "<new cert thumbprint>"
$New_Cert = Get-ExchangeCertificate -Thumbprint $New_Thumbprint -server "ExServer"
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
$ReceiveConnectors = @()
#Check the TLSCertificateName on all Receive Connectors and compare to $TLSCert
$ExchangeServers.name | %{$ReceiveConnectors += Get-ReceiveConnector "$_\Default Frontend $_" | Select Identity, TLSCertificateName}
#To fix:
$ExchangeServers.name | %{Set-ReceiveConnector "$_\Default Frontend $_" -tlsCertificateName $TLSCert}
9. Check the Exchange On-Premises Transport Service
#Notes: This should be done automatically
#Variables
$ExchangeServers = Get-exchangeserver
$TransportService_Cert = @()
#Loop
#$ExchangeServers.name | %{$TransportService_Cert += get-transportservice $_ |Select Name,InternalTransportCertificateThumbprint}; $TransportService_Cert
10. Check the Exchange On-Premises Hybrid Send Connector “<Outbound to Office 365>”
#Notes: You may need to set this
#Variables
$SC = "Outbound to Office 365"
$New_Thumbprint = "new cert thumbprint"
$New_Cert = Get-ExchangeCertificate -Thumbprint $New_Thumbprint -server "ExServer"
$New_TLSCertificateName = (‘<I>’+$New_Cert.issuer+'<S>’+$New_cert.subject)
#Verify the TLSCertificateName on the SendConnector
$SendConnector_TLSCertificateName = Get-SendConnector -identity $SC | Select TLSCertificateName
#Does the $SendConnector_TLSCertificateName match the NEW_TLSCertificateName? If Not, you may need to run the following:
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $New_TLSCertificateName
11. Check the ExOnline Inbound Connector “Inbound from …”
#Notes: We did need to fix this
#Variables
$New_Thumbprint = "<thumbprint of new cert>"
$New_Cert = Get-ExchangeCertificate -Thumbprint $New_Thumbprint -server "ExServer"
$New_TLSCertificateName = (‘<I>’+$New_Cert.issuer+'<S>’+$New_cert.subject)
#Set the Inbound Connector with the $New_TLSCertificateName value of the new Cert
#Connect to Exchange Online PowerShell or the EAC GUI
#If PowerSHell:
$ExOnline_TLSSenderCertificateName = Get-InboundConnector "Inbound from ..." | Select TLSSenderCertificateName
#If GUI: Log into EAC --> Mail Flow --> Connectors --> Select the "Inbound from ..." connector --> Edit the "How to identify email sent from your email server" section.
#To Fix:
#PowerShell: set-InboundConnector "Inbound from ..." -TlsSenderCertificateName $New_TLSCertificateName
#EAC: Edit the "How to identify email sent from your email server" section with the #New_TLSCertificateNameValue
Ex-Shell 