Generate Cert Request
$data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=AU, o=IT Dept, cn=mail.mydomain.com.au" -PrivateKeyExportable $true
Set-Content -Path "c:\Temp\mailcert.req" -Value $Data
Submit Request to CA
- Common name should be the public name eg.
- mail.mydomain.com.au
- Add in additional 'Subject Alternate Names' for the actual server names eg.
- exchedge1.mydomain.com.au
- exchedge2.mydomain.com.au
Complete Certificate Request
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mail_mydomain_com_au.cer -Encoding Byte -ReadCount 0))
Note the thumbprint that is shown when successfully imported.
Assign the certificate to SMTP service
Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP
Update the intermediate Certs
- Download and run the Digicert Certificate Utility (https://www.digicert.com/util/), on the edge server.
- "Repair" the cert if it's showing any missing/misplaced intermediate certificates
Export the certificate (and repeat import on second server)
$file = Export-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD -BinaryEncoded:$true -Password (Get-Credential).password
Set-Content -Path "c:\Temp\mailcert.pfx" -Value $file.FileData -Encoding Byte
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mailcert.pfx -Encoding Byte -ReadCount 0)) -Password (Get-Credential).password
Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP
Update intermediate cert via Digicert Certificate Utility as above
Complete a synchronisation cycle (on an internal Hub Transport server)
Start-EdgeSynchronization
Cheers,
(__)
(oo) ok
/------\/ /
/ | ||
* /\---/\
^^ ^^