picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus
Other activities


Install a certificate on Microsoft Exchange 2010 / 2013

1- Preparation

To install the certificate in Exchange 2010 / 2013:
  • If you used the helper to generate your certificate request, use the helper to import it (in the Exchange Management Console, at the Server Organization root, choose Import Exchange Certificate.)
  • If you used the Shell Exchange, launch the cmdlet Import-ExchangeCertificate (do not use the MMC!)
In both cases you need to import the .p7b file to install the certificate and the entire certification chain, not only the final certificate. You'll find this file in the delivery email under the name "installation overall file". It is also available on your status page by clicking on the button "See the certificate" in PKCS7 format.

2- Importation through the shell

Import-ExchangeCertificate -Path c:\p7-0123456789-12345.p7b | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
See also: One of our customer -running under Exchange 2010 SP1- informs us that the previous command line did not work. He used this one instead:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\p7-xxxxxxxxx-yyyy.p7b -Encoding byte -ReadCount 0))

In Exchange: manual activation of an already installed certificate

Should an error of importation occur, or after a manual importation of the certificate via the MMC, you will have to activate and link the Exchange services to your new certificate:

  • 1) Get the "Thumbprint" number of your certificate with the command:
  • Get-ExchangeCertificate -DomainName "mondomainprincipal.fr"
    Copy/paste the "Thumbprint" number

    If you see your certificate's name several times, add " | fl " at the end of the command and find the last certificate by comparing their expiration date or their serial number (your certificate's serial number is available on it's status page).
    Get-ExchangeCertificate -DomainName "mymaindomain.com" | fl


  • 2) Then activate your certificate:
  • Enable-ExchangeCertificate
    
    cmdlet Enable-ExchangeCertificate at command pipeline position 1
    Supply values for the following parameters:
    Services: SMTP,IIS,IMAP,POP
    Thumbprint: CE20B70F780CDFD72878F5496931F1A8AF1798A2
    
     
    
    Confirm
    Overwrite existing default SMTP certificate,
     
    '43B7977C504C7A84422CB815065E1DE34D52CBD3' (expires 12/04/2015 12:42:43)
    
    with certificate,
    'CE20B70F780CDFD72878F5496931F1A8AF1798A2' (expires 21/05/2012 01:59:59)?
    
    [Y] Yes  [A] Yes to All [N] No  [L] No to All [S] Suspend [?] Help (default is " Y "): Y
    

Create a PFX from Exchange 2010 / 2013

We found this documentation explaining how to generate a PFX from a certificate in Exchange 2010 / 2013: http://exchangeserverpro.com/export-an-exchange-server-2010-certificate-to-exchange-2003

You can also use our certificate exportation procedure via MMC available here: "Create a certificate back-up".

Common issue: revocation check failed
The certificate status could not be determined because the revocation check failed

This issue is caused by Exchange that wants to check the CRL during the certificate importation. If its tool (using WinHTTP) can't access the web, the operation fails.

Troubleshoot:

- vmake sure the firewall authorizes connections on port 80 (HTTP) to the authority server.
For example, for Comodo, run the command:
telnet ocsp.comodoca.com 80
- deactivate the proxy
netsh winhttp reset proxy

or set-up the WinHTTP proxy

Example
  • with Comodo certificates:
    netsh winhttp set proxy proxy-server="http=monproxy" bypass-list="*.comodoca.com"
  • with TBS X509 certificates:
    netsh winhttp set proxy proxy-server="http=monproxy" bypass-list="*.tbs-x509.com"
  • with Globalsign certificates:
    netsh winhttp set proxy proxy-server="http=monproxy" bypass-list="*.globalsign.com"
  • with Thawte certificates:
    netsh winhttp set proxy proxy-server="http=monproxy" bypass-list="*.thawte.com"
See also:

Common issue: The Certificate is Invalid for Exchange Server Usage

You probably have install the certificate without its certification chain (.cer) via the GUI interface. We advise to use the powershell to install our .p7b file.

In that situation, the better way to solve the issue is to request a certificate reissuance and to follow our instructions with the powershell.

You can also try to install the missing chain manually.

Check your certificate installation with Co-Pibot:

On your certificate status page, click on the button "Check your certificate" to make sure your certificate has been correctly installed.

Anonymous [ settings | log in ]
Last edited on 12/04/2013 13:25:23 --- [search]