Forum Discussion

Shaun Jennings's avatar
Shaun Jennings
Iron Contributor
Jun 19, 2019

Installing a pre-existing wildcard SSL certificate on Exchange 2013

We have existing Exchange 2010 hybrid servers and we have a wildcard certificate that needs to be imported to these exchange servers to update the current wildcard. A CSR was never generated.

 

Is there a process to import the new wildcard onto the Exchange servers and get the right services activated under the new certificate?

  • Hey shaun, absolutely you can import wildcard certs on your exchange boxes without initiating a request, but without the request you will need the password for the pfx format cert. 

     

    This script is written for Exchange 2010 so others viewing this may need to tweak the get-exchangeserver line, but otherwise this should get you to where you are going. Without the pending request, you will just need to know the password for the file, which you can supply in the script below.

     

    Script will

    -prompts you for the password

    -grabs all your cas servers (for ex 2010, on newer versions you may need all exchange servers)

    -imports the cert on each server

    -enables services on each server

     

    Best of luck!

    #########
    #script begin
    <#
    .NOTES

    be sure to set the $servers variable as well as the full filepath to the pfx file on the server from where you are running the command

    #>

    $password = (get-credential).password 

    $servers= get-exchangeserver|?{$_.serverrole -like "*clientaccess*"} 

     

    foreach($server in $servers){

    write-host "importing cert on $($server.name)..." -f yellow

    #import cert request

    $installed= Import-ExchangeCertificate -server $server.fqdn -FileData ([Byte[]]$(Get-Content -Path C:\Users\Admin\Desktop\Wildcard\contoso.com.pfx -Encoding byte -ReadCount 0)) -Password:$password -confirm:$false

     

    #enable services

    Enable-ExchangeCertificate -server $server.name -Thumbprint $installed.thumbprint -service iis,SMTP -confirm:$false
    } #close foreach server

  • Hey shaun, absolutely you can import wildcard certs on your exchange boxes without initiating a request, but without the request you will need the password for the pfx format cert. 

     

    This script is written for Exchange 2010 so others viewing this may need to tweak the get-exchangeserver line, but otherwise this should get you to where you are going. Without the pending request, you will just need to know the password for the file, which you can supply in the script below.

     

    Script will

    -prompts you for the password

    -grabs all your cas servers (for ex 2010, on newer versions you may need all exchange servers)

    -imports the cert on each server

    -enables services on each server

     

    Best of luck!

    #########
    #script begin
    <#
    .NOTES

    be sure to set the $servers variable as well as the full filepath to the pfx file on the server from where you are running the command

    #>

    $password = (get-credential).password 

    $servers= get-exchangeserver|?{$_.serverrole -like "*clientaccess*"} 

     

    foreach($server in $servers){

    write-host "importing cert on $($server.name)..." -f yellow

    #import cert request

    $installed= Import-ExchangeCertificate -server $server.fqdn -FileData ([Byte[]]$(Get-Content -Path C:\Users\Admin\Desktop\Wildcard\contoso.com.pfx -Encoding byte -ReadCount 0)) -Password:$password -confirm:$false

     

    #enable services

    Enable-ExchangeCertificate -server $server.name -Thumbprint $installed.thumbprint -service iis,SMTP -confirm:$false
    } #close foreach server

    • Shaun Jennings's avatar
      Shaun Jennings
      Iron Contributor

      What if there is no password on the certificate? I talked with our server team and they stated that they downloaded the Exchange wildcard certificate and it did not have a password.

      • msExchangeDude's avatar
        msExchangeDude
        Icon for Microsoft rankMicrosoft

        Shaun Jennings -- Greg is right, you will need to go back to your server team to get the private key format of the certificate. A pfx or p12 format certificate is a bundled format certificate that includes the private and public keys (the private requiring a password to import). 

Resources