This is a place for Systems Administrators and IT Professionals to find and share ideas, solutions and templates. If you have something that helps you solve a problem, chances are it will help someone else too. So pay it forward and send an email to TheAgreeableCow at gmail. Full mudos to you!

Sunday 18 August 2013

Creating SSL certificates for Exchange 2010 Edge servers

I recently moved from an on-premise email security gateway to a cloud service. As such, I had to setup some new Exchange Edge roles and install SSL certificates on them to provide TLS encryption. As there is a limited GUI, all of this needs to be done via powershell. Here is a quick, high level overview of the steps taken.

Generate Cert Request
 $data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=AU, o=IT Dept," -PrivateKeyExportable $true  
 Set-Content -Path "c:\Temp\mailcert.req" -Value $Data  

Submit Request to CA
  • Common name should be the public name eg. 
  • Add in additional 'Subject Alternate Names' for the actual server names eg.

Complete Certificate Request
 Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mail_mydomain_com_au.cer -Encoding Byte -ReadCount 0))  

Note the thumbprint that is shown when successfully imported.

Assign the certificate to SMTP service
 Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP  

Update the intermediate Certs

  • Download and run the Digicert Certificate Utility (, on the edge server.
  • "Repair" the cert if it's showing any missing/misplaced intermediate certificates

Export the certificate (and repeat import on second server)
$file = Export-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD -BinaryEncoded:$true -Password (Get-Credential).password  
Set-Content -Path "c:\Temp\mailcert.pfx" -Value $file.FileData -Encoding Byte  
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mailcert.pfx -Encoding Byte -ReadCount 0)) -Password (Get-Credential).password  
Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP  

Update intermediate cert via Digicert Certificate Utility as above
Complete a synchronisation cycle (on an internal Hub Transport server)

         (oo)  ok
   /------\/  /
  / |    ||
 *  /\---/\
    ^^   ^^

No comments:

Post a Comment