Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » mail » exchange » exchange_ssl
Trace:
internet:mail:exchange:exchange_ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
internet:mail:exchange:exchange_ssl [2017/12/20 07:51]
gcooper 		internet:mail:exchange:exchange_ssl [2022/04/17 14:08] (current)
gcooper
Line 1: Line 1:
 ====== Exchange Server SSL Certificates ====== ====== Exchange Server SSL Certificates ======
 +
 +See also: **http://www.mustbegeek.com/configure-url-redirection-in-exchange-2013/** 
  
 See also: **[[internet:security:ssl_cert_windows|Windows SSL Certificates]]** See also: **[[internet:security:ssl_cert_windows|Windows SSL Certificates]]**
  
-See also: **https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server/**+**Let's Encrypt**: https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server
  
 :!: For **Exchange**, you will need a **SAN/UC certificate** supporting multiple host names. :!: For **Exchange**, you will need a **SAN/UC certificate** supporting multiple host names.
Line 61: Line 63:
 Once the above steps are completed, go through the following virtual directories. Once the above steps are completed, go through the following virtual directories.
  
-In the HTTP Redirect section, remove the following check mark Redirect requests to this destination and Apply the changes.+In the HTTP Redirect section, remove the following check mark ''Redirect requests to this destination'' and Apply the changes.
  
   * aspnet_client   * aspnet_client
Line 79: Line 81:
  
 FIXME Needs verification! Not valid for Exchange 2013. FIXME Needs verification! Not valid for Exchange 2013.
- 
-See also **[[va:va_exchange_hosting|CloudPanel Exchange Hosting Panel]]** 
  
 :!: Change the ''mail.yourdomain.com'' part to match the name in your SSL certificate. :!: Change the ''mail.yourdomain.com'' part to match the name in your SSL certificate.
Line 132: Line 132:
  
 <file> <file>
-Get-ExchangeCertificate | FL+Get-ExchangeCertificate | fl
  
 Test-WebServicesConnectivity | fl Test-WebServicesConnectivity | fl
Line 163: Line 163:
 ==== Install on Exchange 2013  ==== ==== Install on Exchange 2013  ====
  
-  - In Exchange Management Shell+=== In Exchange Management Shell === 
 <file>Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "E:\Cert_Location\your_cert_name.pfx" -Encoding byte -ReadCount 0))</file> <file>Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "E:\Cert_Location\your_cert_name.pfx" -Encoding byte -ReadCount 0))</file>
-  - Check Cert+ 
 +=== Check Cert === 
 <file>Get-ExchangeCertificate | fl</file> <file>Get-ExchangeCertificate | fl</file>
  
Line 181: Line 184:
   - ''Restart-Service MSExchangeImap4''   - ''Restart-Service MSExchangeImap4''
  
 +==== Receive Connector ====
  
 +https://blog.cpolydorou.net/2018/03/configuring-certificate-on-exchange.html
  
 +<file>
 +Get-ReceiveConnector
 +Get-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" | fl
 +</file>
 +
 +Set the correct SSL certificate used by the Default Frontend (SMTP on port 25) connector:
 +
 +<file>
 +Get-ExchangeCertificate
 +$cert = Get-ExchangeCertificate -Thumbprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 +$cert | fl Thumbprint,Issuer,Subject
 +$tls = "<i>$($cert.Issuer)<s>$($cert.Subject)"
 +Set-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" -TlsCertificateName $tls
 +Get-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" | fl
 +</file>
 +
 +Test from a Linux host:
 +
 +<file>
 +openssl s_client -connect exchange.yourdomain.tld:25 -starttls smtp < /dev/null
 +</file>
 +
 +===== Microsoft Exchange Server Auth Certificate =====
 +
 +Read this entire page first: https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html
 +
 +==== Exchange Admin Center ====
 +
 +Renew the expired/expiring certificate in EAC:
 +
 +**EAC -> Servers -> Certificates**
 +
 +:!: You will need to **copy the thumbprint of the new MESAC** to be used in the following EMS commands.
 +
 +==== Exchange Management Shell ====
 +
 +:!: Substitute your new thumbprint.
 +
 +<file>
 +Get-AuthConfig
 +
 +$thumb = "1DB0B9BC4195B1F5EDFC4CDED5106B9F4069FFF1"
 +$date = get-date
 +
 +Set-AuthConfig -NewCertificateThumbprint $thumb -NewCertificateEffectiveDate $date
 +
 +Set-AuthConfig -PublishCertificate
 +
 +Set-AuthConfig -ClearPreviousCertificate
 +
 +iisreset
 +</file>
 +
 +:!: If it is still not working properly, you might try rebooting the server.
 +
 +===== Troubleshooting =====
 +
 +Do **not** delete the last self-signed cert.
 +
 +Delete all unused **commercial** certs to avoid confusion as to which cert is being applied where.
 +
 +List all certs and their details:
 +
 +<file>
 +get-exchangecertificate | fl cert*,services,thumb*,subject
 +</file>
 +
 +<file>
 +Import-ExchangeCertificate -Server $ServerName -FileName $CertificateImport
 +Enable-ExchangeCertificate -Thumbprint $certPrint.Thumbprint -Services POP,IMAP,IIS,SMTP -Confirm
 +</file>
 +
 +<file>
 +Enable-ExchangeCertificate -Server '<your-server-name>' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint '<your thumbprint>'
 +</file>
  
internet/mail/exchange/exchange_ssl.1513781499.txt.gz · Last modified: 2017/12/20 07:51 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki