No announcement yet.

SSL renewal for External OWA access to ex2k7

  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL renewal for External OWA access to ex2k7

    In the past, I have always used an internal CA for Exchange 2007's SSL certificate. I have a customer that has the default website in IIS (on the Exchange 2007 server) coming for renewal. However, the only name in the existing certificate is They have an existing wildcard certificate of * from a different provider.

    What is the best method of renewing the SSL certificate seeing that it is Exchange 2007. Would I need to use Powershell for the renewal or can I create a dummy website and do the CSR request and Certificate import and then replace the existing SSL certificate via IIS?

    Help appreciated. They do not wish to purchase another SSL certificate of a SAN or UC.

  • #2
    Re: SSL renewal for External OWA access to ex2k7

    I contacted the SSL provider and part of the package allows for me to request a re-issue of the certificate for another server. I have made a CSR request via powershell and submitted this to them. I will post back how the import goes.


    • #3
      Re: SSL renewal for External OWA access to ex2k7

      You don't need a dummy web site because the certificate is managed by Exchange.
      You can request and import the certificate in EMS. Then when you are ready you can enable it for the required services.

      Note that a wildcard certificate is not always suitable. Exchange 2007 requires a number of names to be in the certificate, including the server's NETBIOS and internal FQDN. A wildcard certificate does not cover the NETBIOS name. While you can change things around, it is not recommended and can actually lead to complications. Exchange 2007 was designed to be used with a SAN/UC certificate, which are often cheaper than a wildcard certificate.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: SSL renewal for External OWA access to ex2k7

        I see. Thanks Sembee.


        • #5
          Re: SSL renewal for External OWA access to ex2k7

          To update everyone, I carried these steps out in the end.

          As the Wild Card SSL certificate had already been purchased, I decided to request a re-issue of the certificate from the provider. This comes with a license for installation on 3 servers.

          I first made the CSR request for the re-issue. This command was used.

          New-ExchangeCertificate -GenerateRequest -SubjectName "c=GB, o=*, cn=*, s=LONDON, l=LONDON" -privatekeyexportable $true -Path c:\certificates\CSR.globalsign.req

          When I received the new certificates, I copied the intermediate certificate to a notepad file and saved it with a .cer extension. This external provider required installation of the intermediate certificate on the server.

          Open MMC
          Select File > Add/Remove Snap In
          Select Add
          Select Certificates > Add
          Select Computer Account > Next
          Local Computer > Finish > Close > OK
          Select Certificates > Intermediate Certification Authorities > Certificates
          Right-Click Certificates > All-Tasks > Import
          The Import Wizard will start, follow the instructions to import the intermediate certificate and close MMC.

          I then pasted the re-issued certificate to a notepad file and saved it locally on the Exchange server and gave it a .cer extension.

          I then needed to find out the thumbprint ID and status of the current active SSL certificate.

          This command was used.

          (1) Get-ExchangeCertificate | fl | out-file -filePath c:\certs.txt

          I managed to obtain the thumbprint ID of the current SSL certificate assigned to IIS.

          Then I removed the current SSL certificate using the below.

          (2) Remove-ExchangeCertificate -thumbprint <thumbprint that you noted down>

          Then imported the re-issued SSL certificate.

          (3) Import-ExchangeCertificate -path c:\certificates\NameOfRe-issedCert_WildCard.cer.cer -FriendlyName "*"

          I then needed to enable the SSL certificate for IIS, POP and IMAP.

          (4) Enable-ExchangeCertificate -Thumbprint [paste thumbprint here] -Services "IMAP, POP, IIS"

          I obtained the thumbprint by running command 1 above again.

          POP and IMAP wouldn't configure with the SSL certificate as internal self-signed certificates took precedance.(it stated this in the powershell window)

          Having researched earlier on in this job, I believe POP and IMAP services in Exchange 2007 don't like Wild Cards.

          I then tested the OWA address. It was using the new certificate.