Certificates play a key role in authenticating and securing user access to Exchange via HTTPS. When we configure the Client Access Server (CAS), it is generally recommended to obtain a SSL certificate from a 3rd party certificate authority like Comodo, Digicert, GoDaddy, or Verisign. The certificate obtained from the certificate authority is 1) imported and 2) enabled on the Exchange server for the appropriate services, "IIS" and "SMTP" for example.
Often, the certificate for the organization comes with an intermediate certificate that must be imported into the local computer certificate store of the server before the organization certificate will function.
Many sources available on the Internet explain this process. In particular, certificate authorities usually provide directions for the installation of their certificates.
Note: in Exchange 2007, certificate operations (import, enable, etc.) could only be performed at the command line (in the "EMS"). Exchange 2010 and 2015 also provide a GUI for this type of operation.
When moving from one Exchange server to another, in the context of a migration to a newer version or simply the replacement of a server, it can be advantageous to move the certificates from one to other.
Yes, an organization could always request another certificate from the certificate authority using a brand new certificate request created on the new server. However, this would entail a brand new invoice from the certificate authority as well.
In fact, depending on the certificate authority and type of certificate issued, the certificate originally acquired may not function on any other server than the one on which the original request was created. In other cases, though, this is possible. One common scenario is exporting the certificate from the Exchange server so it can be imported on an ISA or TMG server that pre-authenticates Exchange users at the perimeter of the network.
So, in the following lines, I'll concentrate on the procedure to follow when migrating from Exchange 2007 to Exchange 2010.
Export the existing certificate(s) from the first server
I have both an intermediate certificate provided by the certificate authority as well as the certificate delivered for my organization. Since I kept a copy of the original intermediate certificate, I will not need to export it from the Exchange 2007 server. So I'll focus on exporting the certificate for my organization and then the import operations on the Exchange 2010 server.
Exporting the Exchange certificate (Exchange 2007 server)
The organization's certificate is exported using this command in the EMC:
Export-ExchangeCertificate -Thumbprint 11111a22222222b33333 -BinaryEncoded:$True -Path C:\E2K10-Cert-Export\export-for-e2k10.pfx -Password (Get-Credential).Password
Note: yes, I modified the thumbprint for both security and concision. You might also be wondering "But wait! Where did you find that thumbprint?". I executed the Get-ExchangeCertificate cmdlet and located the proper certificate among those listed. In my case, there were only two certificates (one was the "self-signed" certificate). So I selected the other.
Otherwise, if you want détails on each of the parameters, you can consult the Micosoft documentation on the Export-ExchangeCertificate cmdlet:
Import the certificates into the second server
Note: I have created a custom MMC named CERTMGR.msc that targets the computer certificate store of the local computer. Normally, when you open the CERTMGR.msc MMC, it targets the user certificate store.
I have also, for this example, placed the necessary files in the C:\Certs folder.
1. Click on the Start Menu and open CERTMGR.msc
Start | All Programs | Administrative Tools | CERTMGR.msc
2. Go to the "Intermediate Certification Authorities" folder and then to the "Certificates" subfolder. Right-click and select "All Tasks, Import".
3. Click "Next" on the "Welcome" page to proceed to the screen where you can browse to the certificate file to be imported. Select the file type PKCS #7 (for .p7b files) and select the certificate.
Click "Next". Make sure the "Intermediate Certification Authorities" store is targeted.
Click "Next", confirm the operation and then "Finish". You can confirm the success (or failure) of the operation by verifying the certificate has been added to the local computer certificate store:
Exchange certificate (provided specifically for your organization)
Finally, we must import and enable the Exchange certificate with the domain names used by our organization, provided by the 3rd party certificate authority. Since I'm most familiar with the command line for this type of operation, that's what I'll use.
Note: the files mentioned in the examples must be placed in the indicated locations for the cmdlets to function. Otherwise, change the commands to reflect the location of your files.
1. Import the certificate.
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path c:\certs\export-for-e2k10.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password
2. Enable the certificate.
Enable-ExchangeCertificate -Thumbprint 11111a22222222b33333 -Services "IMAP, IIS, POP, SMTP"
Well, does it work?
It did for me. I was able to login as two different test users whose mailboxes were moved to the Exchange 2010 server, was able to open both OWA and Outlook without any prompts or error messages about certificates.