Back in April 2009 I wrote something about How to renew a self signed certificate in Exchange Server 2007 and then later Exchange 2010 EMC and Certificates Management Part – 1 and Exchange 2010 EMC and Certificates Management Part – 2
I am sure a lot of you have found these posts helpful. All of these posts however did not talk about the certificates issued by public CAs. I thought it would be even more helpful to put up a separate post that would talk more about the certificate renewal process in Exchange 2010 which indeed would cover few steps for Exchange 2007 certificate renewals as well.
If you run through the Exchange 2010 EMC and Certificate Management posts you would know how it really works when you are preparing, requesting and assigning a new certificate to your Exchange 2010 CAS and HT servers but these posts do not talk about renewal of the certificates once you assign them and they are just about to expire :-O
A little bit of stuff that you may or you may not know:
Whenever you work with certificates on an exchange server role installed on any OS, you are dealing with the local computer certificate stores on the at OS which is easily accessible by using Start—> Run –> MMC –> Add/Remove Snap In –> Certificates –> Local Computer. Just take a look at the local computer’s Personal certificate store and you wouldn’t be surprised to see these certificates in there. The only reason I wanted to bring this point here in this post because you may really need to run through this sometimes if you experience something that was mentioned in one of previous posts Missing Private Key on Exchange Certificate
So let’s have a look at what is it and how to do it!
Just like above linked two posts talking about how to manage the exchange certificates using GUI, you need to locate the certificate that you need to renew in EMC. Right click on the certificate and select Renew
Provide the path in the wizard that appears which will save you a .req file. Once you have completed the wizard you are ready to use this .req file to be supplied to any certification authority that supports your request. The reason I said ‘any CA that supports your request’ is because, some CAs do not support SAN extensions supplied in the request.
Once you supply the contents of the file generated above your CA will provide you a certificate that can be imported here. To import a certificate using GUI follow steps mentioned in Exchange 2010 EMC and Certificates Management Part – 2
We have a lot of powershell lovers by now and they feel powershell is much easier than GUI sometimes. For all of those
Find the certificate you need to renew using Get-ExchangeCertificate
Copy the certificate thumbprint and run following command to generate the CSR
Get-ExchangeCertfiicate -Thumbprint <Thumbprint> | Renew-ExchangeCertificate -GenerateRequest:$True -PrivateKeyExportable:$True
The above command displays the CSR that you need to be supplied to the CA. Copy the CSR and paste it to the CA interface.
Once you have downloaded the certificate issued by the CA use below command to import it. You need to make sure that you have not removed the certificate request generated by your last operation using EMC or powershell. This will lead you to another situation where you wouldn’t be able to import the certificate.
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.cer -Encoding Byte -ReadCount 0))
If you have recieved your certificate in .pfx format then use
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.pfx -Encoding Byte -ReadCount 0)) -Password:(Get-Credential).Password
And the final stage is to enable it for the services
Enable-ExchangeCertificate -Thumprint <Thumbprint> -Services IIS,IMAP,POP
Same procedure applies to Hub Transport Server Role certificate renewal as well but the Edge Transport Server Role. To manage certificates on the Edge Transport Server Role you must be logged on the server and use powershell.
After you have renewed certificate on an edge transport server, you need to resubscribe it to the site since the subscription contains the certificate information in it too. Read more about Edge Transport here