Create and Install Exchange certificate with PowerShell

FOR AR2.1 (With ACGV3 notes)

EXCHANGE 2016 CU23

                                                        **** login as Exchange service account ****

1. Generate the Certificate Request

• Submit the Certificate Request

• Download the Approved Certificate
  
  
  • Perform #1, #2 and #3 above using the latest CLO PKI SOP, member server offline cert request sections.

AR2.1_Bare_Build_Server_10_CLO-PKI-Install_SOP_V4.04.docx

NOTE: For MB-002, Select Email and enter “autodiscover.%Shipname%.navy.mil” and “mail.%shipname%.navy.mil” without quotes.

NOTE: For MB-002, make sure Secure Email is added to Selected options along with the other selections.

• Save it in C:\Temp as SHIP-MB-002-FinishedCert.cer after retrieval. You can name the file anything you want; just remember the filename for the next steps.
  
  

• Install New Certificate
  
  
• Run the following command from Exchange Management Shell

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes(‘\\ship-mb-002\c$\Temp\SHIP-MB-002-FinishedCert.cer’)) –PrivateKeyExportable $true -Server SHIP-MB-002 -FriendlyName “SHIP-MB-002.shipname.navy.mil”

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes(‘\\ship-mb-   002\c$\Temp\SHIP-MB-002-FinishedCert.cer’)) –PrivateKeyExportable $true -Server “SHIP-MB-002” -FriendlyName “SHIP-MB-002.shipname.navy.mil”

• Output should look like this. Copy the thumbprint to notepad from the output

Thumbprint                                Services   Subject
—-—-—-–                                —-—-—   —-—-–

0C4C00B76EB7DB236573BF79258888D32C9B753D  …….    xxxxxxxxxxxxx

• Fix the Certificate – No Key Icon (if applicable)

• Run certlm.msc.
• Expand Certificates Personal > Certificates.
• If your new certificate does not have a small key icon, continue with the following steps; otherwise, skip to section 6
• Double-click the certificate, go to Details, and copy the Serial Number to notepad.
• Remove spaces from the serial number.
• Run the following command (replace SerialNumber with your serial number) from Elevated command prompt

certutil -repairstore my “SerialNumber”

• Refresh the certificates view. The certificate should now have a small key icon.

• Assign new certificate to the Exchange Server services
  
  
• Run the following command from Exchange Management Shell

(replace xxxxxxxxxxxx with the thumbprint recorded in step 4)

Enable-ExchangeCertificate -Server “ship-mb-002” -Thumbprint xxxxxxxxxxxxxxxx -Services SMTP, IMAP, IIS, POP

Enable-ExchangeCertificate -Server "ship-mb-002" -Thumbprint xxxxxxxxxxxxxxxxxxxxx -Services SMTP,IMAP,IIS,POP

• After running the cmdlet, press Y and press Enter on the following prompt.

Confirm

Overwrite the existing default SMTP certificate?

Current certificate: xxxxx (expires xxxxxxx)

Replace it with certificate: xxxxx (expires xxxxx)

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

• Verify Assigned Exchange Certificate

• Run the following command from Exchange Management Shell

Get-ExchangeCertificate -Server “ship-mb-002” | Select Thumbprint, Services

Get-ExchangeCertificate -Server "ship-mb-002" | select Thumbprint, Services

Thumbprint         : 0C4C00B76EB7DB236573BF79258888D32C9B753D

Services           : IMAP, IIS, SMTP, POP

• Verify that new certificate (verify by Thumbprint) is assigned to SMTP and IIS services.

•  Verify Certificate Binding in IIS
  
  
• Launch Internet Information Services (IIS) Manager.
  
  
• Verify that the new certificate is bind to the Default Web Site and Exchange backend website, If not, assign them. (refer to Exchange Install SOP Page 61 if needed).
  
  
• Restart IIS from an elevated command prompt by running following command:
  
  

Iisreset

NOTE: YOU MAY HAVE TO Restart some of the IIS dependency   services manually if you get access denied error.

• Verify NEW AND OLD CERTS one more time
  
  
• Run the following command from Exchange Management Shell

Get-exchangecertificate | fl friendlyname,services,*not*,*self*,thumbprint

• Verify new cert has SMTP,IMAP,IIS,POP Services  assigned

•  Verify IIS is no longer listed  under OLD Cert

•   Copy Thumbprint for OLD CERT. You will need it for Step 11

1. OP TEST
   
   
2. Verify ECP site is loading and can  login (https://ship-mb-002.shipname.navy.mil/ecp)
   
   
3. Verify the url is loading with new certificate

1. Remove the Old Certificate
   
   
2. Run the following command from Exchange Management Shell
   
   Remove-ExchangeCertificate -Server SHIP-MB-002 -Thumbprint xxxxxx
   
   
3. Xxxxx represents the thumbprint of old cert recorded in step 9
   
   
4. Ensure the old certificate is no longer listed in the Exchange Admin Center (EAC) and the personal store

1. Final NOTES,  Operational Test and CLEAN UP

• Perform a final operational test to ensure everything is functioning correctly, mail flow, EAC login, etc.
  
  
• If you are doing this on ACGV3, process is the same. Replace all server naming convention, and fqdn to reflect ACGV3 MBs.

• If you are on ACGV3, perform mailbox sever switch over to MB-02 and perform cert install procedures on MB-01  and vice versa. By doing so, it will not interrupt email operation for ship force while you are doing the cert procedures on one MB.

• After all steps are completed for both MBs, put the sever switch over to AUTOMATIC