I manage an Exchange 2007 server for one of my clients where we have deployed Outlook Anywhere, a.k.a. RPC-HTTPS, to deliver a robust Exchange experience to remote users. We use a standard SSL certificate purchased from GoDaddy to secure communications.
That certificate expired today. I used articles from telnetport25 and msexchangegeek as resources, but I thought it would be helpful to compile the entire procedure in one location.
Note: Since the process to create and download an SSL certificate is different for every Certificate Authority, I will not cover it here. You should have your new certificate ready before beginning this procedure.
Step 1: Get the thumprint of the expired certificate
You have to know the unique thumbprint of a certificate before it can be uninstalled. On the Exchange server, open the Exchange Management Shell and run the following command:
Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt
You will end up with a file on your C drive called certs.txt. Open this file and locate the certificate that needs to be uninstalled. Look for the NotAfter parameter to help you determine which certificate is expired or expiring soon if you have more than one certificate installed. Once you locate the certificate that needs to be uninstalled, make a note of the value of the Thumbprint parameter.
Step 2: Uninstall the expired certificate
Run the following command, substituting the value of the Thumbprint from Step 1 where it says <thumbprint>:
Remove-ExchangeCertificate –thumbprint <thumbprint>
You will be prompted to confirm that you really wish to uninstall this certificate from the system. Press ‘a’ to confirm and continue when you’re ready.
Step 3: Import your new certificate
You should have already generated your new certificate. Since every certificate authority has a different process, we won’t cover that part of this operation here. Download your new certificate to the C drive of the Exchange server and run the following command:
Import-ExchangeCertificate -path c:\mycert.cer –FriendlyName “mail.mydomain.com”
The FriendlyName parameter can be anything you want, so make it something descriptive that you will recognize later. It is common practice to use the URL of the domain you are securing as the FriendlyName.
Make a note of the new Thumbprint that is generated for your new certificate.
Step 4: Enable the new certificate for OWA
Substitute the Thumbprint value from the previous step where it says <thumbprint> and run the following command to enable the new certificate to secure OWA:
Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services IIS
That’s all there is to it. Test your certificate installation by opening your OWA domain in a web browser. If the SSL encryption icon is set and you do not receive any warnings about certificate errors, you are done.