When updating the certificate you need to complete this in three places these are as follows
1) How to install the new PFX certificate
2) Hybrid Wizard, this simply required a re-run choosing the new certificate
3) Send Connectors on "local" Exchange
4) Check you new certificate is active
Before you begin check mail flow for external connectors using this command:
Get-MailboxServer | Get-Queue -Exclude Internal
It should look like this with "zero" in the all the queues
How to install the new PFX certificate?
Once you have the certificate, in a PFX format you can follow this section, for my example I needed to create a CSR (certificate signing request) which was certified by out "external" certification provider.
Note : Lets remember when you create a CSR the private key, the one you need to make the certificate valid is stored on the server that generated the CSR, you cannot bind services to certificates that have no private key, if you do they will fail at the negotiation stage.
Simple one command to tell you:
Get-SendConnector | fl Name,SourceTransportServers
This will give you this, the servers here are the servers that require the certificate as they will be sending mail.....
Name : Mail to WWW
SourceTransportServers : {mailserver1, mailserver2, mailserveredge, mailserversmtp, mailserverinternal}
Name : Mail to Office 365
SourceTransportServers : {mailserver1, mailserver2, mailserveredge, mailserversmtp, mailserverrouting}
All the servers highlighted require the certificates. but as this can be changed in the GUI or PowerShell using Set-SendConnector I would install the certificates on all your Exchange servers, as if a server does not have the certificate it cannot send mail using it :)
So to install the certificates first you need to install the certificates, so if you have a couple of servers do this:
Enter-PSSession -ComputerName mailserver1
$password= "securepassword" | ConvertTo-SecureString -AsPlainText -Force
Import-PfxCertificate -Exportable -Password $password -CertStoreLocation Cert:\LocalMachine\My -FilePath "\\sslcerts\PFX\cert.pfx"
If you have lots of servers, you can use this to accomplish the same thing, obvioulsy you will need to customise the TXT file of your servers:
$computers = c:\temp\servers.txt
ForEach ($remoteSystem in $computers){
Enter-PSSession -ComputerName $RemoteSystem
$password= "securepassword" | ConvertTo-SecureString -AsPlainText -Force
#Commands below this point will execute remotely
Import-PFXCertificate -Password $password -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath "\\sslcerts\PFX\cert.pfx"
Exit-PSSession
}
The response you need for this look like this:
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\MyThumbprint Subject
---------- -------
8452EB0AD2011DDB0977BD40C5FB8BD02BE0E010 CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB
NOTE : Please ensure you set complex passwords for your PFX files as they have your private keys and the private keys are not what you want getting out there in the wild, so even if its internal PLEASE set secure passwords, unless you delete the PFX one done!!!!!
Enable the Certificate
Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services SMTP
You need to enable the certificates on all servers, so you can use this:
Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services SMTP - Server mailserver1
Hybrid Wizard
Note : Ensure you get the latest version of Hybrid Configuration wizard, as your login to EXO will not work with the older versions, to get the latest version visit > http://aka.ms/hybridWizard
This is a GUI, so no instructions really required, its very obvious what you need to do for an Exchange Administrator, if you are not an Exchange Administrator then please do not run this tool.
If you must look at screenshots you can do so by using these websites:
https://www.codetwo.com/admins-blog/office-365-hybrid-configuration-wizard-step-by-step/
https://www.azure365pro.com/office-365-hybrid-configuration-wizard-step-by-step/
Or you can use this Google search:
https://www.google.com/search?q=reconfigure+hybrid+wizard+step+by+step
Send Connectors - PowerShell magic
This is the simple one as it requires PowerShell so you margin for error is low, but you do need some group work before you start on this
First you need to know which Send Connectors have TLS required as these are the ones you will need to update, this is done with this command:
Get-SendConnector | fl Name,RequireTLS
This will return this, names changed for security people:
Name : Mail to the WWW
RequireTLS : True
Name : Internal Mail
RequireTLS : False
Name : Mail to Office 365
RequireTLS : True
We only care the ones where RequireTLS is true the others you can ignore as they are not affected by the SSL update as they do not use SSL.
Then to get the certificate used you will need this command:
Get-SendConnector | fl Name,TLSCertificateName
This will return this:
Name : Mail to WWW
TlsCertificateName : <I>CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See
www.entrust.net/legal-terms, O="Entrust, Inc.", C=US<S>CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB
Name : Mail to Office 365
TlsCertificateName : <I>CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See
www.entrust.net/legal-terms, O="Entrust, Inc.", C=US<S>CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB
Get-ExchangeCertificate - Server mailserver1
Which will return on the certificates, but I have filtered for the one we require only, as you can see there are two here, the new one and the old one.....
Now you need to update the send connectors with the new certificate, this is simple from this point and it looks like this:
Get-ExchangeCertificate - Server mailserver1
It should now look like this:
Do not worry about the "S" on the old certificates, Exchange still has it cached, and you will be deleting soon anyway, if you are not sure back it up first :)
Get-MailboxServer | Get-Queue -Exclude Internal
You need ensure you queues all end up on "zero" again, if they have messages in them the status needs to be "Active" and not "Retry" if you see retry and the messages continually climb upwards you have done something wrong or skipped a step.
Check you new certificate is active as if you miss this step all the above is for nothing it will still expired, in my example we have a appliance that managed the SSL on the older certificate, I found this using many of the websites you can use to check SSL certificates, I use this one:
https://www.ssllabs.com/ssltest/
