SSL certificates are issued for periods of spanning a number of years (typically in multiples for example one, two or more years, however eventually they do expire and need to be renewed).

The renewal process involves generating a fresh CSR (Certificate Signing Request) on one of your Exchange Client Access servers. This is then sent to a root certification authority (e.g. VeriSign) for processing into a valid SSL certificate (essentially they sign the request).

Creating a Certificate

In order to generate a CSR file on the Client Access Server and Windows Server 2008 open the Exchange Management Shell and type the following command:

New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 1024 -SubjectName “c=GB, s=Middx, i=MyCompany, ou=IT, cn=mail.mydomain.com” -PrivateKeyExportable $True

The string that you provide after the -SubjectName switch is very important and it is made up of the following values:

  • cThis is the country of origin.
  • sThis is the state we are in.
  • i – This is the company that you work for, or indeed the SSL certificate will be assigned to. You should note that if you have purchased SSL certificates before it is worth ensuring that the company naming convention is consistent throughout all certificates that you have purchased.
  • ou – This is the organisation unit that the section of the company which will take charge of the certificate.
  • cnThis should be set to the DNS FQDN of the Client Access Server which will be using the certificate.

This will produce a file in the root of C drive on the CAS server called myReq.csr. This should be sent to our root certification authority.

When the CSR has been generated you will be provided with a CRF (Certificate Response File) which looks like the following (this will be returned to you via email):

-----BEGIN CERTIFICATE-----JJkbbssCCAuucgAwIBAgIQcyE6jZgwnFgAq0d7onjMFzANBgkqhkiG9w0BAQUFADCBzj

EEWNNNEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du

MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv

biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENB

MSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMB4XDTA4MDcxMTE2M

DU0OFoXDTEwMDcyNjE1NTcxN1owgYYxCzAJBgNVBAYTADDDDDDjujjjjjw87666cvNxMJkeDE

PMA0GA1UEBxMGTG9uZG9uMSswKQYDVQQKEyJMb25kb24gQm9yb3VnaCBvZiBIb3Vuc2xvdyBD

b3VuY2lsMQswCQYDVQQLEwJJVDEcMBoGA1UEAxMTb3dhLmhvdW5zbG93Lmdvdi51azCBnzANB

gkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAolvn0lT1W+cdRFjqOn56tPwHNULjq7LDA/G4ZAIVf9

cl7y4jLKR/6/3x2O/1st8OEcFDFKElmn8dzoA3pG14JL8ZmBTh0RLxtGRw9fHB2ARuYplagoD

LqgA5mzEPo3a3wCKboTaEwKwoeQ9dAp2bGcvs4lMPptI48eoSDhFs/u0CAwEAAaOBpjCBozAd

BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL

2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUHAQEE

JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vpgthennn/ss88877a222129tMAwGA1UdEwE

B/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAuYSyeOUx53TkjCfol2psVY3E9uzMb6P6nrgs2U

uG8BBQlshPkv+te8G2JpaaaaCmcrCV8J0WQN8mRm5443vbdasafJTBxB2PAZfl3GSWEgDIH

q/lg3IOxG43YK4qDWYTu3j/Ngymq8g/d+0VrqkF/AmXWnGMGIQmE3GUnUDXeZKOR8SM=

-----END CERTIFICATE-----

You should copy the CRF (including the Begin Certificate and End Certificate) into a text file called owa.txt and then rename the file owa.cer. You should then copy this file up to a drive on the CAS server where you are working.

Installing a Certificate (CAS)

Firstly you need to remove the existing (expired) SSL certificate from your Client Access Server. In order to accomplish this you need to open the Exchange Management Shell and then type in the following command:

Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt

This will create a text file in the root of C drive called certs.txt which contains the details of every certificate install on the server. The output should look like the following:

 

image

 

The key property that will identify the certificate that you wish to replace is the Not After field. As this is essentially the expiry date and should have already expired or indeed be very close to expiring. Make a note of the thumbprint (the long number at the bottom after the Thumbprint field) and then type in the following command:

Remove-ExchangeCertificate –thumbprint <thumbprint that you noted down>

As a tip here is to copy the thumbprint from the text file above and then paste it into the PowerShell Window. When you have typed the command and pressed enter you will be presented with the confirmation message:

Are you sure you want to perform this action?

Remove certificate with thumbprint 138B6EC5AAE868F495ECCBDA05C1F011B08A7CD3?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help(default is “Y”):

Confirm the action by entering A and then press ENTER. You are now ready to import the new certificate onto the Client Access Server. In order to do this type in the following command within the PowerShell window (ensure that the path you specify to the certificate file matches the location where you placed the new certificate in the earlier steps):

Import-ExchangeCertificate -path e:\certificates\owa.cer –FriendlyName “owa.mydomain.com”

You should then be presented with the following output (again here you will need to make a note of the thumbprint):

Thumbprint Services Subject

———- ——– ——-

B52842F7408772B7151FF74FDAE914EA7B59B53A ….. CN=owa.mydomain.com,…

Now that the certificate has been imported into the certificates repository you need to enable it for OWA. In order to do this run the following command in the PowerShell window:

Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS

The new certificate should now be installed you can confirm this by running the following command:

Get-ExchangeCertificate

The output of which should be:

Thumbprint Services Subject

———- ——– ——-

B52842F7408772B7151FF74FDAE914EA7B59B53A …W. CN=owa.mydomain.com,…

The key thing here to note is the W under services (this signifies that the cert has been enabled for OWA) and that the thumbprint matched what you have typed in previously.