About a year ago, I wrote a post on “how to publish Exchange 2007 OWA using ISA 2006”; this time, the SSL-certificate had expired, so a renew operation was necessary. To make my ISA/OWA2007 procedure complete, I thought it could be interesting to write again how to make it work.
1) to renew the certificate for webmail.pdtit.be, we start by getting a list of currently installed certificates on the exchange box:
Get-ExchangeCertificate –domain “webmail.pdtit.be” | fl
Note the services to which the certificate is bound (by default: IIS, SMTP, IMAP, POP3); copy the thumbprint of the certificate.
2) Get a new certificate with a valid expiration date (by default, 1 year from its generation date)
Get-ExchangeCertificate –thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate –privatekeyexportable $True
(the privatekeyexportable $True is necessary to export the certificate in a valid format for ISA 2006 server to use it)
3) If the certificate is being used for SMTP as well, confirm the following prompt:
Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 4/25/009 7:37:31 AM)?
Yes Yes to All No [L] No to All Suspend [?] Help
(default is "Y"):
4) The new certificate has been generated but not yet enabled; validate the new certificate again:
Get-ExchangeCertificate –thumbprint “ 3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 4/25/009 7:37:31 AM)?
Thumbprint Services Subject
---------- -------- -------
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E ..... CN=webmail.pdtit.be
5) To enable this new generated certificate again for the Exchange Services, use the following powershell cmdlet:
Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS, POP, SMTP, IMAP
6) As the newly generated certificate has again a private key linked to it, we can export this certificate to a PFX-file, and install it into the certificate MMC on the ISA Server. After these steps, the new certificate is bound to the Exchange 2007 WebServices internally, and bound to the ISA 2006 OWA listener.
That’s all folks,
apr 26 2009, 05:38
Peter De Tender