none
New Exchange 2007 certificate RRS feed

  • Question

  • I paid for another few years through Godaddy. I have the command for generating the new CSR, but I forgot how to apply the certificate once it's been downloaded. 

    First I'd need to check to see what protocols I'm currently using. How would I find out? 

    Second, the command needed to apply the SSL. We currently have 2 exchange servers, each with all exchange roles enabled. There is no load balancing or DAG configured. 

    Do I need to generate a CSR on each servers? What would be the correct order of processes to perform? 

    thanks
    Monday, February 18, 2013 5:45 PM

Answers

  • Import-ExchangeCertificate -Path C:\Certificates\Cert.cer
    

    When you run Import-ExchangeCertificate, you can pipe the output to the Enable-ExchangeCertificate cmdlet and do it all in one line so you don't have to copy and pate the thumbprint.

    Import-ExchangeCertificate -Path C:\Certificates\Cert.cer | Enable-ExchangeCertificate IIS,SMTP,POP,IMAP
    
    Do not remove the default self-signed certificate; Exchange wants to see that one there for SMTP as well.  SMTP should be the only service bound to it once you do the above.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, February 19, 2013 9:09 PM
    Moderator

All replies

  • First, you can just enable them all:  IIS, SMTP, IMAP, POP.

    Second, the command depends on the parameters when you issued the certificate request and what you got back.  You complete the certificate request using Import-ExchangeCertiicate and then use Enable-ExchangeCertificate to apply it to services.  What version of Exchange are you running?  It's assumed that there's no DAG since you're asking in an Exchange 2003/2007 forum.  In any case a DAG has no impact on the certificate, which is a CAS thing.

    In general, once you've installed a certificate on one CAS, you can export it and import it into other CASes that use the same hostname.  Be sure to specify that the private key is exportable when you generate the certificate request.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, February 19, 2013 6:43 AM
    Moderator
  • Hi Frank,

    Try the cmdlets "Get-ExchangeCertificate |FL", it would help identify the current certs and it's configuration.

    And then you may create a new certificate request file based on your organization name spaces. Generally, all server names and URLs are recommended to be included.

    Refer to:http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx


    Fiona Liao
    TechNet Community Support

    Tuesday, February 19, 2013 2:40 PM
    Moderator
  • First, you can just enable them all:  IIS, SMTP, IMAP, POP.

    Second, the command depends on the parameters when you issued the certificate request and what you got back.  You complete the certificate request using Import-ExchangeCertiicate and then use Enable-ExchangeCertificate to apply it to services.  What version of Exchange are you running?  It's assumed that there's no DAG since you're asking in an Exchange 2003/2007 forum.  In any case a DAG has no impact on the certificate, which is a CAS thing.

    In general, once you've installed a certificate on one CAS, you can export it and import it into other CASes that use the same hostname.  Be sure to specify that the private key is exportable when you generate the certificate request.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    For the "import-ExchangeCertificate" command, would the syntax be: "import-ExchangeCertificate -PATH-TO-FILE"?

    Also, if I remember correctly, I need to use a command to get the HEX ID for the exchange certificate, so that I can use it with the enable-exchangecertificate command, right? If so, what would be that command?

    Finally, would the final command go as follows: enable-exchangecertificate -HEX ID -Services?

    Tuesday, February 19, 2013 4:58 PM
  • http://technet.microsoft.com/en-us/library/bb124424(v=exchg.141).aspx &

    Have a look at he examples here

    http://technet.microsoft.com/en-us/library/aa997231(v=exchg.141).aspx.


    Sukh

    Tuesday, February 19, 2013 7:49 PM
  • Import-ExchangeCertificate -Path C:\Certificates\Cert.cer
    

    When you run Import-ExchangeCertificate, you can pipe the output to the Enable-ExchangeCertificate cmdlet and do it all in one line so you don't have to copy and pate the thumbprint.

    Import-ExchangeCertificate -Path C:\Certificates\Cert.cer | Enable-ExchangeCertificate IIS,SMTP,POP,IMAP
    
    Do not remove the default self-signed certificate; Exchange wants to see that one there for SMTP as well.  SMTP should be the only service bound to it once you do the above.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, February 19, 2013 9:09 PM
    Moderator