Wednesday, July 1, 2009

Importing Certificates to Exchange 2007 servers

In my previous blogs (http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/ and http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/) i have discussed how we can generate CSR for different exchange roles. Here i will discuss how we can import certificates to different exchange roles. Following is the command for importing certificates;

Import-ExchangeCertificate -Path “c:\path\generated SAN certif_name.cer” –friendlyname “<Certificate Friendly Name>”

After running this command successfully you should be seeing the thumbprint of the new certificate. Copy the full thumbprint value because you will required this in the next commands.

Now you have to enable your certificate for specific services for example for SMTP and Web services.

For enabling CAS server certificates run this command:

Get-exchangecertificate <Thumbprint>| enable-exchangecertificate -services "IIS”

 

For enabling Edge server certificates run this command

Get-exchangecertificate <Thumbprint>| enable-exchangecertificate -services "SMTP”

After running above command run Get-exchangecertificate again for verifying if services are enabled or not.

You can also combine the above 2 commands like this;

Import-ExchangeCertificate -Path “c:\path\generated SAN certif_name.cer” –friendlyname “<Certificate Friendly Name>” | enable-exchangecertificate -services "IIS”

Following are the possible values for services parameter;

  • IMAP
  • POP
  • UM
  • IIS
  • SMTP
  • None

Do not import exchange certificate by normal certificate importing methods (import from certificate MMC Snap in) otherwise certificate will not going to work. Also make sure you have Trusted root CA and Intermediate CA certificates installed in their relevant stores otherwise certificate will have issues.

In case you want to import or apply the same certificate to another Edge or CAS server then you need to perform following addition steps;

1. Open Certificate MMC Snap in on the server for local computer.

2. Go to personal container and locate the certificate which you had just imported.

3. Export this certificate with private key.

5. Copy this certificate on the server where you want to configure this certificate.

6. Run following command on the second server which you want to configure from the same certificate;

Import-ExchangeCertificate -Path c:\path\<certificate file>.pfx –Password:(Get-Credential).password

The Get-Credential cmdlet in the above command pops up a standard username\password dialog box. This is little bit confusing because we don't need a username to get to the keys, just put whatever you want for the username, but put the password that you used when you ran the Export certificate wizard the Certificate Manager snap-in in MMC.

7. Run command Get-ExchangeCertificate to get the thumbprint of this certificate.

8. Run command EnableCertificate –thumbprint <copy the thumbprint> -services “IIS”

9. After running above command run Get-exchangecertificate again for verifying if services are enabled or not.

No comments: