Renew Certificates in Exchange 2007 HUB-CAS

You may encounter an alerts from your monitoring systems about your certficate is going to expired in couple of days. In this state you must renew your certificate before its cross timeline. Renewing certificate is very straight forward process and same as you assign it first time.

Here, I am considering local PKI to renew certificates.

1. Alarm

If you check event viewer in server where certificates is going to expired, you will see below log.

————————————-
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12018
Date:  3/24/2011
Time:  12:04:07 PM
User:  N/A
Computer: ABCFE01

Description:
The STARTTLS certificate will expire soon: subject: abcfe01.abc.com, hours remaining: E87B5D0BD9E5108BCAA8DBE1B3437E93B781BF4C. Run the New-ExchangeCertificate cmdlet to create a new certificate.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
——————————————

2. Generate new Certificate

To generate new certificate in Exchange 2007 server, First you need to collect SAN URL name from existing certificates, To do so you can go into OWA and see details or you can use MMC console and click on existing certificates.

Example:
DNS Name=abcfe01
DNS Name=abcfe01.abc.com
DNS Name=autodiscover.abc.com
DNS Name=mail.abc.com

Now, Login to FE server and  open EMS to run below cmdlet to generate request.

New-ExchangeCertificate -generaterequest -subjectname “E=admin@abc.com,CN=abcfe01,OU=exchange,O=ABC,L=DH,S=India” -domainname abcfe01,abcfe01.abc.com,aut
odiscover.abc.com -PrivateKeyExportable $true -path c:\certrequest.txt

3. Generate certificate in PKI CA console.

Now, you need to login your internal PKI CA console and generate certificate using request file “certrequest.txt”. Generate certificate and save it.

Note: There should not be left spaces when paste content into console.

4. Importing Certificate

Login to Exchange 2007 server abcfe01 and open EMS. Run below cmdlet to import it and enable required services.

Import-ExchangeCertificate -path c:\certnew.cer

Enable-ExchangeCertificate -Services IIS,SMTP,IMAP,POP -Thumbprint “Keep Without quote”

By default IMAP,POP services would be enables, If you need, you can enable it again.

It will ask you override exisiting certificate , here you will select “Yes”

Once it is imported and assigned for certificates you can verify it theu OWA (for IIS) and test mail flow for SMTP. Also you can see eventviewer to verify it.

—————————————————————

Event Type: Information
Event Source: MSExchangeTransport
Event Category: Configuration
Event ID: 16002
Date:  3/30/2011
Time:  10:30:07 AM
User:  N/A
Computer: abcfe01
Description:
The new transport server configuration has been read and components have been notified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

———————————————————————–

5. Delete old cetificates

After everything is working fine you can go ahead and delete old certificates (make sure you have selected correct thumbprint)

Run cmdlet below:

Remove-certificate -thumbprint

Now you have done renewal of you certificate thru KPI CA.