Submitted by Chad Manzer on May 20, 2010 - 5:05pm
Weather you have a large environment or a small environment you will likely have to renew your Client Access Server (CAS) certificates someday. If it is a lab you may be doing this a lot or in production maybe every year or two. But if you are anything like me, and I know I am, then you may be lazy and like to script everything out. Not only does this help to make sure you are constant but who know if you will remember how to renew your CAS certs in a few years.
Start by opening EMS (Exchange Management Shell.) Run the following commands substituting the correct information for your environment.
$Request = New-ExchangeCertificate -FriendlyName 'Exchange2010Webmail ' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=US,S="Pennsylvania",L="Philadelphia",O="My Test Lab",OU=".",CN=webmail.mydomain.com' -DomainName 'webmail.mydomain.com','autodiscover.mydomain.com','cas-site1.mydomain.com','cas-site2.mydomain.com' -Server 'exchlabcas01'
Change the friendly name to whatever makes sense to you. Verify that the subject alternate names are correct for your environment and that you do not need to add or remove any. In this example we will have all the CAS servers part of 2 CAS arrays, CAS-site1 and CAS-site2 to simplify we will be using the same certificate on all the servers, utlizing Aubject Alternate Names or SAN's. This creates the Certificate request on the server specified with the -server (in this case exchlabcas01) and assigns it to the $Request variable. Then create the certificate request file to be submitted to an offline CA
Set-content c:\cert\CertRequest.csr $request
This command writes the content from the $Request to the filec:\cert\CertRequest.csr. Make sure you take note of where you write the .CSR (certificate request file) to as send this file to your issuing CA
Once you have received the response from the certificate authority you will need to accept the certificate on the server it was requested from. In the example above it was requested from EXCHLABCAS01. Save the response to a file c:\cert\CertResponce.p7b (your file extension may be different)
Import-ExchangeCertificate -Server 'EXCHLABCAS01' -FileData ([Byte[]]$(Get-Content -Path c:\cert\CertResponce.p7b -Encoding byte -ReadCount 0))
Verify the cert is successfully loaded, the private key is present, and all the SAN's on the server, via certificate management mmc. Then export the cert for backup and so we can load it on the rest of the CAS's. To do this we will need the thumbprint for the new certificate
Get-ExchangeCertificate -server EXCHLABCAS01|fl
Locate the new cert and copy the thumbprint for it
$export = Export-ExchangeCertificate -Server 'EXCHLABCAS01' -Thumbprint '2E56B16F75371A1E79C540289BF714BB70988DF4' -Password (Get-Credential).password
When prompted the username can be anything, except blank. The password is used for securing the certificate. This password will be needed to import the certificate with its private key on another server later on.
Set-Content -Path "c:\cert\CertExport.pfx" -Value $export.FileData -Encoding Byte
This exports the cert to c:\cert\CertExport.pfx with the password specified earlier.
Importing the cert to other servers. You can import the cert to a single server for testing, in this example the server we are importing it into is EXCHLABCAS02.
Import-ExchangeCertificate -Server 'EXCHLABCAS02' -FileData ([Byte[]]$(Get-Content -Path c:\cert\CertExport.pfx -Encoding byte -ReadCount 0)) -Password (Get-Credential).password PrivateKeyExportable $true
When prompted for the password again the username does not matter (but cannot be blank) put in the certificate password that was set earlier. If you have several CAS servers to import the certificate to, you will need to save the cert password to a variable then import the cert to a list of servers:
$password = Get-Credential
Again the username does not matter but the password must match the certificate's password. Now you will likely want to get this certificate on all your CAS servers.
Get-ClientAccessServer |%{ Import-ExchangeCertificate -Server $_.name -FileData ([Byte[]]$(Get-Content -Path c:\cert\CertExport.pfx -Encoding byte -ReadCount 0)) -Password $password.password -PrivateKeyExportable $true}
The certificate has been loaded on all the servers, to activate it for IIS
Enable-ExchangeCertificate -Server 'EXCHLABCAS02' -Services 'IIS' -Thumbprint '2E56B16F75371A1E79C540289BF714BB70988DF4'
The thumb print is the same that we queried for above, again you will need to change to the correct value for your environment. After testing we can assign the new cert to all CAS
Get-ClientAccessServer|%{Enable-ExchangeCertificate -Server $_.name -Services 'IIS' -Thumbprint '2E56B16F75371A1E79C540289BF714BB70988DF4'}
You can verify the cert on a server with the following command
Get-ExchangeCertificate -server EXCHLABCAS02-Thumbprint 2E56B16F75371A1E79C540289BF714BB70988DF4|fl *
Thats all there is to it, if you are updating 2 servers or 26 server it can all be done witrh the commands above. Feel free to let me know if you have any questions.
»
- Chad Manzer's blog
- Login or register to post comments
