Remove the old certificate: Test services are working with the new certificate.If the certificate is self-signed, it shouldn’t be a concern - you can generate as many self-signed certificates as you want.Įnable-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” -services IIS If it’s a CA-issued certificate, remember to export it with its private key before you remove it, and then import it again and enable it for the Exchange services you need to. Setting the Services parameter to None does not do anything in this case. There’s no way to disable the certificate (for that service). You can enable the certificate for IIS (in addition to any other services it may already be enabled for - it adds to existing values of the certificate’s Services property).īefore you enable a certificate for an Exchange serviceīefore you enable a certificate for a particular Exchange Server service such as IIS (which enables it for all HTTPS services – Outlook Anywhere (RPC over HTTPS), OWA, EAS, and EWS), know that it’s a one-way street. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing. Enable the new certificate for IIS: The old certificate is enabled for IIS, POP, IMAP and SMTP.The new certificate is generated and enabled. Yes Yes to All No No to All Suspend Help Overwrite existing default SMTP certificate, The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization. If the existing certificate is being used as the default SMTP certificate, you will get the following prompt. New-ExchangeCertificate -PrivateKeyExportable $true
#Renew exchange 2010 certificate install
If you want to be able to export a certificate with its private key for backup or to install it on another server (although this is generally done only for CA-signed certificates), create the new certificate with an exportable private key by using the PrivateKeyExportable parameter. Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificateĮxporting a certificate with its private key
The good news is that with Exchange 2010, Microsoft raised the validity of Exchange’s self-signed certificates to five years, so most organizations wouldn’t need to renew them frequently. Should you decide to leave the self-signed certificate(s) on some servers and continue to use them, you would need to renew them when they expire - just as you would renew certificates from public or private CAs. See the Certificates and Certification Authorities secton for more info. For most deployments, you will end up purchasng a certificate from a trusted public CA (or perhaps an internal CA in organizations with PKI deployed). Although self-signed certificates work perfectly well for internal SMTP communication between Hub Transport servers, and between Hub Transport and Edge Transport servers, it’s not recommended to use them for any client communication on an ongoing basis. Nevertheless, one should treat these certificates as temporary. This is a great development – it ensures that out of the box, Exchange does not transfer any data in the clear and all communication is encrypted. The self-signed certificate meets an important need – securing communication paths for all Exchange services by default. In Exchange 2007 and later, Exchange Setup creates a self-signed certificate to protect communication with Exchange services such as SMTP, IMAP, POP, OWA, EAS, EWS and UM.Įxchange’s self-signed certificates meet an important need – securing communication paths for all Exchange services by default.
0 kommentar(er)
