SOLVED

Installing a pre-existing wildcard SSL certificate on Exchange 2013

%3CLINGO-SUB%20id%3D%22lingo-sub-707345%22%20slang%3D%22en-US%22%3EInstalling%20a%20pre-existing%20wildcard%20SSL%20certificate%20on%20Exchange%202013%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-707345%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20existing%20Exchange%202010%20hybrid%20servers%20and%20we%20have%20a%20wildcard%20certificate%20that%20needs%20to%20be%20imported%20to%20these%20exchange%20servers%20to%20update%20the%20current%20wildcard.%20A%20CSR%20was%20never%20generated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20process%20to%20import%20the%20new%20wildcard%20onto%20the%20Exchange%20servers%20and%20get%20the%20right%20services%20activated%20under%20the%20new%20certificate%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-707345%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2010%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECSR%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewildcard%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-708149%22%20slang%3D%22en-US%22%3ERe%3A%20Installing%20a%20pre-existing%20wildcard%20SSL%20certificate%20on%20Exchange%202013%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-708149%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20shaun%2C%20absolutely%20you%20can%20import%20wildcard%20certs%20on%20your%20exchange%20boxes%20without%20initiating%20a%20request%2C%20but%20without%20the%20request%20you%20will%20need%20the%20password%20for%20the%20pfx%20format%20cert.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20script%20is%20written%20for%20Exchange%202010%20so%20others%20viewing%20this%20may%20need%20to%20tweak%20the%20get-exchangeserver%20line%2C%20but%20otherwise%20this%20should%20get%20you%20to%20where%20you%20are%20going.%20Without%20the%20pending%20request%2C%20you%20will%20just%20need%20to%20know%20the%20password%20for%20the%20file%2C%20which%20you%20can%20supply%20in%20the%20script%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EScript%20will%3C%2FP%3E%0A%3CP%3E-prompts%20you%20for%20the%20password%3C%2FP%3E%0A%3CP%3E-grabs%20all%20your%20cas%20servers%20(for%20ex%202010%2C%20on%20newer%20versions%20you%20may%20need%20all%20exchange%20servers)%3C%2FP%3E%0A%3CP%3E-imports%20the%20cert%20on%20each%20server%3C%2FP%3E%0A%3CP%3E-enables%20services%20on%20each%20server%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20of%20luck!%3C%2FP%3E%0A%3CP%3E%23%23%23%23%23%23%23%23%23%3CBR%20%2F%3E%23script%20begin%3CBR%20%2F%3E%26lt%3B%23%3CBR%20%2F%3E.NOTES%3C%2FP%3E%0A%3CP%3Ebe%20sure%20to%20set%20the%20%24servers%20variable%20as%20well%20as%20the%20full%20filepath%20to%20the%20pfx%20file%20on%20the%20server%20from%20where%20you%20are%20running%20the%20command%3C%2FP%3E%0A%3CP%3E%23%26gt%3B%3C%2FP%3E%0A%3CP%3E%24password%20%3D%20(get-credential).password%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24servers%3D%20get-exchangeserver%7C%3F%7B%24_.serverrole%20-like%20%22*clientaccess*%22%7D%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eforeach(%24server%20in%20%24servers)%7B%3C%2FP%3E%0A%3CP%3Ewrite-host%20%22importing%20cert%20on%20%24(%24server.name)...%22%20-f%20yellow%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%23import%20cert%20request%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%24installed%3D%20Import-ExchangeCertificate%20-server%20%24server.fqdn%20-FileData%20(%5BByte%5B%5D%5D%24(Get-Content%20-Path%20C%3A%5CUsers%5CAdmin%5CDesktop%5CWildcard%5Ccontoso.com.pfx%20-Encoding%20byte%20-ReadCount%200))%20-Password%3A%24password%20-confirm%3A%24false%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%23enable%20services%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EEnable-ExchangeCertificate%20-server%20%24server.name%20-Thumbprint%20%24installed.thumbprint%20-service%20iis%2CSMTP%20-confirm%3A%24false%3CBR%20%2F%3E%7D%20%23close%20foreach%20server%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-710505%22%20slang%3D%22en-US%22%3ERe%3A%20Installing%20a%20pre-existing%20wildcard%20SSL%20certificate%20on%20Exchange%202013%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-710505%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20if%20there%20is%20no%20password%20on%20the%20certificate%3F%20I%20talked%20with%20our%20server%20team%20and%20they%20stated%20that%20they%20downloaded%20the%20Exchange%20wildcard%20certificate%20and%20it%20did%20not%20have%20a%20password.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-710976%22%20slang%3D%22en-US%22%3ERe%3A%20Installing%20a%20pre-existing%20wildcard%20SSL%20certificate%20on%20Exchange%202013%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-710976%22%20slang%3D%22en-US%22%3EThey%20didn't%20choose%20to%20export%20the%20private%20key%20with%20the%20cert%20then.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-710999%22%20slang%3D%22en-US%22%3ERe%3A%20Installing%20a%20pre-existing%20wildcard%20SSL%20certificate%20on%20Exchange%202013%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-710999%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F221635%22%20target%3D%22_blank%22%3E%40Shaun%20Jennings%3C%2FA%3E%26nbsp%3B--%20Greg%20is%20right%2C%20you%20will%20need%20to%20go%20back%20to%20your%20server%20team%20to%20get%20the%20private%20key%20format%20of%20the%20certificate.%20A%20pfx%20or%20p12%20format%20certificate%20is%20a%20bundled%20format%20certificate%20that%20includes%20the%20private%20and%20public%20keys%20(the%20private%20requiring%20a%20password%20to%20import).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736626%22%20slang%3D%22en-US%22%3ERe%3A%20Installing%20a%20pre-existing%20wildcard%20SSL%20certificate%20on%20Exchange%202013%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F325860%22%20target%3D%22_blank%22%3E%40msExchangeDude%3C%2FA%3EThank%20you%20for%20the%20assistance.%20The%20script%20worked%20flawlessly.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We have existing Exchange 2010 hybrid servers and we have a wildcard certificate that needs to be imported to these exchange servers to update the current wildcard. A CSR was never generated.

 

Is there a process to import the new wildcard onto the Exchange servers and get the right services activated under the new certificate?

5 Replies
Highlighted
Best Response confirmed by Shaun Jennings (Contributor)
Solution

Hey shaun, absolutely you can import wildcard certs on your exchange boxes without initiating a request, but without the request you will need the password for the pfx format cert. 

 

This script is written for Exchange 2010 so others viewing this may need to tweak the get-exchangeserver line, but otherwise this should get you to where you are going. Without the pending request, you will just need to know the password for the file, which you can supply in the script below.

 

Script will

-prompts you for the password

-grabs all your cas servers (for ex 2010, on newer versions you may need all exchange servers)

-imports the cert on each server

-enables services on each server

 

Best of luck!

#########
#script begin
<#
.NOTES

be sure to set the $servers variable as well as the full filepath to the pfx file on the server from where you are running the command

#>

$password = (get-credential).password 

$servers= get-exchangeserver|?{$_.serverrole -like "*clientaccess*"} 

 

foreach($server in $servers){

write-host "importing cert on $($server.name)..." -f yellow

#import cert request

$installed= Import-ExchangeCertificate -server $server.fqdn -FileData ([Byte[]]$(Get-Content -Path C:\Users\Admin\Desktop\Wildcard\contoso.com.pfx -Encoding byte -ReadCount 0)) -Password:$password -confirm:$false

 

#enable services

Enable-ExchangeCertificate -server $server.name -Thumbprint $installed.thumbprint -service iis,SMTP -confirm:$false
} #close foreach server

Highlighted

What if there is no password on the certificate? I talked with our server team and they stated that they downloaded the Exchange wildcard certificate and it did not have a password.

Highlighted
They didn't choose to export the private key with the cert then.
Highlighted

@Shaun Jennings -- Greg is right, you will need to go back to your server team to get the private key format of the certificate. A pfx or p12 format certificate is a bundled format certificate that includes the private and public keys (the private requiring a password to import). 

Highlighted

@msExchangeDudeThank you for the assistance. The script worked flawlessly.