SSL certificates are issued for periods of spanning a number of years (typically in multiples for example 1, 2 or more years – however eventually they do expire and need to be renewed.
The renewal process involves generating a fresh CSR (Certificate Signing Request) on one of your Exchange Client Access servers – this is then sent to a root certification authority (for example VeriSign or Thwate) for processing into a valid SSL certificate (essentially they sign the request).
In order to generate a CSR file on the Exchange 2007 Client Access Servers and Windows 2008 open the Exchange Management Shell [ START -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell ] and type the following command:
New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 1024 -SubjectName “c=GB, s=Middx, l=MyCompany, ou=IT, cn=mail.mydomain.com” -PrivateKeyExportable $True
The string that you provide after the “-SubjectName” switch is VERY important it is made up of the following values:
c= [This is the Country of origin]
s= [This is the state (that you are in)]
i= [This is the company that you work for - or indeed the SSL certificate will be assigned to - you should note that if you ave purchased SSL certificates before it is worth ensuring that the company naming convention is consistent throughout all certificates that you have purchased]
ou= [This is the organisation unit that the section of the company which will take charge of the certificate - typically I enter in "IT" for this value]
cn= [This should be set to the DNS FQDN of the Client Access server which will be using the certificate - for example "OWA.mydomain.com" or "mail.mydomain.com"
This will produce a file in the root of c:\ on the CAS server called “myReq.csr” – this should be sent to Thwate.
When the CSR has been generated you will be provided with a CRF (Certificate Response File) which looks like the following (this will be returned to you via e-mail):
-----BEGIN CERTIFICATE----- JJkbbssCCAuucgAwIBAgIQcyE6jZgwnFgAq0d7onjMFzANBgkqhkiG9w0BAQUFADCBzj EEWNNNEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENB MSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMB4XDTA4MDcxMTE2M DU0OFoXDTEwMDcyNjE1NTcxN1owgYYxCzAJBgNVBAYTADDDDDDjujjjjjw87666cvNxMJkeDE PMA0GA1UEBxMGTG9uZG9uMSswKQYDVQQKEyJMb25kb24gQm9yb3VnaCBvZiBIb3Vuc2xvdyBD b3VuY2lsMQswCQYDVQQLEwJJVDEcMBoGA1UEAxMTb3dhLmhvdW5zbG93Lmdvdi51azCBnzANB gkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAolvn0lT1W+cdRFjqOn56tPwHNULjq7LDA/G4ZAIVf9 cl7y4jLKR/6/3x2O/1st8OEcFDFKElmn8dzoA3pG14JL8ZmBTh0RLxtGRw9fHB2ARuYplagoD LqgA5mzEPo3a3wCKboTaEwKwoeQ9dAp2bGcvs4lMPptI48eoSDhFs/u0CAwEAAaOBpjCBozAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL 2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUHAQEE JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vpgthennn/ss88877a222129tMAwGA1UdEwE B/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAuYSyeOUx53TkjCfol2psVY3E9uzMb6P6nrgs2U uG8BBQlshPkv+te8G2JpaaaaCmcrCV8J0WQN8mRm5443vbdasafJTBxB2PAZfl3GSWEgDIH q/lg3IOxG43YK4qDWYTu3j/Ngymq8g/d+0VrqkF/AmXWnGMGIQmE3GUnUDXeZKOR8SM= -----END CERTIFICATE-----
You should copy the CRF (including the “Begin Certificate” and “End Certificate”) into a text file called “Owa.txt” and then rename the file “owa.cer” – you should then copy this file up to a drive on the CAS server where you are working.
Installing the Certificate on your Client Access Server:
Firstly you need to remove the existing (expired) SSL certificate from your Client Access Server - in order accomplish this you need to perform the following steps:Open the Exchange Management Shell [ START -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell ]
Then type in the following command:
Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt
This will create a text file in the root of C:\ called “certs.txt” which contains the details of every certificate install on the server – the output should look like the following:
The key property that will identify the certificate that you wish to replace is the “Not After” field – as this is essentially the expiry date and should have already expired or indeed be very close to expiring.Make a note of the thumbprint (the long number at the bottom after the “thumbprint” field) and then type in the following command:
As a tip here is to copy the thumbprint from the text file above and then paste it into the Powershell Window.When you have typed the command and pressed enter you will be presented with the confirmation message – see below;
Confirm Are you sure you want to perform this action? Remove certificate with thumbprint 138B6EC5AAE868F495ECCBDA05C1F011B08A7CD3? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help(default is “Y”):y
Confirm the action by entering “a” and then press
You are now ready to import the new certificate onto the Client Access Server – in order to do this type in the following command within the Powershell window (ensure that the path you specify to the certificate file matches the location where you placed the new certificate in the earlier steps:
Import-ExchangeCertificate -path e:\certificates\owa.cer –FriendlyName “owa.mydomain.com”
You should then be presented with the following output – again here you will need to make a note of the thumbprint:
Thumbprint Services Subject ———- ——– ——- B52842F7408772B7151FF74FDAE914EA7B59B53A ….. CN=owa.mydomain.com,…
Now that the certificate has been imported into the certificates repository you need to enable it for OWA – in order to do this run the following command in the Powershell window:
Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS
The new certificate should now be installed you can confirm this by running the following command:
The output of which should be:
Thumbprint Services Subject ———- ——– ——- B52842F7408772B7151FF74FDAE914EA7B59B53A …W. CN=owa.mydomain.com,…
The key thing here to note is the “W” under services (this signifies that the cert has been enabled for OWA) and that the thumbprint matched what you have typed in previously.