Procedure for replacing expired certificates on transport servers which are part of Hybrid configuration


At times we often come across a situation where in the certificate used for cross premise mail flow has expired or is about to expire.

Most of the times we replace the certificates and then rerun Hybrid configuration wizard which resets the custom configuration made either on send, receive, inbound or outbound connector.

We can make use of the below procedure to update the necessary configuration items within on premise and within Exchange Online without having to rerun Hybrid configuration wizard.

I will break the procedure down in 2 sections. Section 1 for Customers having Exchange 2010 and Section 2 for customer having Exchange 2013 or higher.

Section 1 Exchange 2010

1. Once the new certificate has been imported to the HUB and edge servers pleas ensure that SMTP service is enabled on the certificate. We can make use of the below command let to enable SMTP service.

- Get-Exchangecertificate | fl : Please make a note thumbprint of the new certificate and existing services assigned to the certificate.

- Enable-Exchangecertificate -thumbprint "Thumbprint from previous step" -services "SMTP,<services noted from earlier step>"

Note: Exchange will prompt you to replace existing certificate with the new certificate. At this prompt please type in No or N

2. As long as the new certificate is identical to the old certificate with regards to the domains included within the subjectname and subject alternate names then we do not have to make any further change to any of the configuration items either in Exchange On premise or Exchange Online.

3.  In Exchange 2010 the certificate required for STARTTLS verb is picked by Exchange through the certificate selection  algorithm stated in the below article which always give priority to the latest certificate when Exchange finds more than one 3rd party certificate present for the FQDN stamped either on the send or receive connector.
https://technet.microsoft.com/en-us/library/bb430748(v=exchg.141).aspx

4. If the new certificate has a different set of domains included within the Subject and Subject alternate names then we have to use any one of the new domains included in either one of the attributes and then follow the below steps to have the domain updated against send and receive connectors in Exchange on premise and against inbound and outbound connector in Exchange Online.

  • a- We can query hybrid configuration details and then have it stored in a variable which can be used for getting the list of receive connectors on which the FQDN needs to be updated. The command needs to be executed from Exchange on premise.
    $hybridconfigruation=Get-HybridConfiguration
  • b- We can then run the below command let to update the FQDN on the receive connector created by HCW with the one of the domains included either in subject name or subject alternate names of the new certificate. The command needs to be executed against Exchange on premise shell.
    $hybridconfigruation.TransportServers | foreach {Get-ReceiveConnector -Server $_.name | where {$_.identity -like "*Inbound from Office*"} | Set-ReceiveConnector -Fqdn "domain.com"}
  • c- We can then update the FQDN on the send connector outbound to office 365 through the below command let. This command needs to be executed against Exchange on premise.
    Set-SendConnector "outbound to office 365" -FQDN "domain.com".
  • d- We then need to run (Get-OrganizationConfig).guid.tostring() to get hold of the guid of the on premise organization which can then be used for getting connector details in Exchange Online. Please make a note of the GUID. The command needs to be executed from Exchange on premise shell.
  • e- We then need to run the below command let from Exchange Online shell which will store the details about the current HCW to a variable.
    $onpremise=Get-OnPremisesOrganization | Where-Object -Property organizationguid -Match 'guid copied from step d'
  • f- We then have to update the attribute tlssendercertificate attribute on the inbound connector created by HCW through the below command let. The command let needs to be executed against Exchange Online Shell.
    Set-InboundConnector $onpremise.inboundconnector -TlsSenderCertificateName "domain.com"
  • g- In case if we have edge servers included within cross premise mail flow then we will have to make changes to the FQDN of the receive connector setup to receive emails from Exchange Online. Changes made to send connector would get replicated over to Edge sever through edge subscription. The command needs to be executed against Exchange on premise shell.
    Set-receiveconnector "Identity of the receive connector" -FQDN "domain.com"

5. SubjectName attribute maps to subject attribute and subject alternate name attribute maps to certificateDomains attribute when we review the data returned on running get-exchangecertificate -thumbprint "Thumbprint of the certificate"

Section 2 Exchange 2013 or higher

1. Once the new certificate has been imported to the HUB and edge servers pleas ensure that SMTP service is enabled on the certificate. We can make use of the below command let to enable SMTP service. The below commands needs to executed against Exchange on premise shell.

  • Get-Exchangecertificate | fl : Please make a note thumbprint of the new certificate and existing services assigned to the certificate.
  • Enable-Exchangecertificate -thumbprint "Thumbprint from previous step" -services "SMTP,<services noted from earlier step>"

Note: Exchange will prompt you to replace existing certificate with the new certificate. At this prompt please type in No or N.

2. With Exchange 2013 it is possible to associate a third party certificate directly to receive connector or send connector for STARTTLS verb through an attribute called TLSCertificateName. This attribute has to be populated by the Issuer string and subject string of the certificate that needs to be associated with outbound or inbound TLS. The format looks like "<I>Issuer String<S>Subject string

3. If the new certificate procured to replace old certificate has the identical Issuer and subject strings then we do not have to make any configuration changes to any of the configuration items either in the on premise or in Exchange Online.

4. To compare the issuer and subject string of the old certificate against the new certificate we can make use of the below command lets. These have to run against the on premise Exchange 2013 or higher server.

  • a- We can Get-ExchangeCertificate | where {$_.rootcatype -eq "thirdparty"} to get a list of third party certificates on the Exchange server
  • b- We can run  the below command lets to store the attributes for each of the certificates (old and new) to a variable
    $oldcertificate=get-Exchangecertificate -Thumbprint "Thumbprint of the old certificate"
    $newcertificate=get-Exchangecertificate -Thumbprint "Thumbprint of the old certificate"
  • c- We can then compare the issuer and subject strings for the old and new certificate. If the value returned is false then we will have to make configuration changes in Exchange On premise and Exchange Online. If the value returned is true then we do not have to make any changes to the configuration items in Exchange Online or Exchange on premise.
    ($oldcertificate.Issuer -eq $newcertificate.Issuer) -and ($oldcertificate.Subject -eq $newcertificate.Subject)

5. Assuming that step 4 returned a value of false then we will have to make changes to the default front end receive connector across all the transport servers included within the hybrid configuration wizard through the below command let. The below command lets should be used if the servers specified within hybrid configuration wizard are not edge servers.

  • a- We should run get-hybridconfiguration and store the output for the same to a variable which can then be used for getting list of receive and send connectors to be modified. The command needs to be executed from Exchange on premise.
    $hybrid=Get-HybridConfiguration
  • b- We can then run the below command let to get a list of front end receive connectors on which the attribute TLSCertificateName needs to be updated. The command needs to be executed from Exchange on premise.
    $hybrid.ReceivingTransportServers | ForEach-Object {Get-ReceiveConnector -Server $_.name | Where-Object -Property identity -Match '.+default frontend'}
  • c- We will then update the TLSCertificateName attribute with the issuer and subject string from the new certificate the details of which have been stored in the variable $newcertificate created in step 4 of section 2. The command needs to be executed from Exchange on premise.
    $hybrid.ReceivingTransportServers | ForEach-Object {Get-ReceiveConnector -Server $_.name | Where-Object -Property identity -Match '.+default frontend' | Set-ReceiveConnector -TlsCertificateName "<I>$($newcertificate.Issuer)<S>$($newcertificate.Subject)"}
  • d- In case if we have edge 2013 server then we will have to make the change against the receive connector setup on the edge to receive emails from Exchange Online. The command needs to be executed from Exchange on premise.
    Set-ReceiveConnector "Identity of the receive connector" -TlsCertificateName "<I>$($newcertificate.Issuer)<S>$($newcertificate.Subject)"
  • e- We can then run the below command let to update the send connector outbound to office 365. The command needs to be executed from Exchange on premise.
    Set-SendConnector "outbound to office 365" -TlsCertificateName "<I>$($newcertificate.Issuer)<S>$($newcertificate.Subject)"
  • f- We then need to run (Get-OrganizationConfig).guid.tostring() (From Exchange on premise shell) to get hold of the guid of the on premise organization which can then be used for getting connector details in Exchange Online. We can also export the details of the new certificate to an xml file which can then be imported in to Exchange Online shell through the below command lets
    Exchange On premise shell
    $newcertificate | Export-Clixml -Path c:\newcert.xml
    Exchange Online shell
    $newcertificate=import-clixml -path c:\newcert.xml
  • g- We then need to run the below command let from Exchange Online shell which will store the details about the current HCW to a variable
    $onpremise=Get-OnPremisesOrganization | Where-Object -Property organizationguid -Match 'guid copied from step f'
  • h- We then need to update the attribute TLSSenderCertificate on the inbound connector created by HCW through the below command let. Here variable newcertificate is populated with required values through an xml import performed in step f
    Set-InboundConnector $onpremise.InboundConnector -TlsSenderCertificateName "<I>$($newcertificate.Issuer)<S>$($newcertificate.Subject)"
  • i- Please run (Get-OutboundConnector $onpremise.OutboundConnector).tlsdomain from Exchange Online shell and then check to see if the value returned is present either in subject or subject alternate names of the new certificate. If its present then we are good otherwise we will have to go to the next step
  • k- We can update the tlsdomain in outbound connector to match one of the domains listed either in subject name or subject alternate name of the new third party certificate.
    Set-outboundconnector $onpremise.outboundconnector -tlsdomain domain.com

 

 


Comments (0)

Skip to main content