ul

1 view
Skip to first unread message
Message has been deleted

Anfos Sin

unread,
Jul 9, 2024, 7:43:54 AM7/9/24
to tuepepramis

A wildcard certificate is designed to support a domain and multiple subdomains. For example, configuring a wildcard certificate for *.contoso.com results in a certificate that will work for mail.contoso.com, web.contoso.com, and autodiscover.contoso.com.

PKI Made Easy Exchange Certificate Wizard


DOWNLOAD https://vbooc.com/2yLGyD



The support question is a relatively easy one to answer. Yes they are supported from a vendor perspective. One clue for this is that wildcard SSL certificates are an option in the Exchange 2010 new certificate wizard. Microsoft does not make a habit of including options in Exchange Server that will lead you down an unsupported path.

I have a 2010 sp3 and 2016 environment that is also going forward getting a hybrid connection with O365 indefinitely. I have cert renewals coming up and I asked MS if they have any problems with wildcards and they said no.
My question is. A SAN cert seems to be the best way to go for this company because they acquire companies slowly. The one they just acquired is already on O365 and I am debating moving them down to 2016 and then back to the new tenant we are moving some users to soon after the connections are made and tested.
We use proofpoint as part of the solutions. I have seen some companies use the certs within the F5 in such a manner as to off load that work and came Exchange safe and clean with less over head.
I would think that applying the SAN certs in proofpoint/F5 would be my best choice then using self signed certs or wildcard certs within the local domain.

GoDaddy sells UC certs that can include up to 100 domain names. It does get expensive, but I use this as leverage for keeping/routing email for new domains. It puts that extra check in place when it costs money.

Hi Paul.
One of my customers is using a certificate for POP3/IMAP services which has expired 2 days ago. Such certificate is intended for IMAP, POP and SMTP services. Exchange 2010 server has another certificate (a wildcard one) and assigned to IIS and SMTP services.

I will appreciate if you can provide a solution to this as I could not find it anywhere else.
Is it still possible to use a Wildcard certificate with Exchange 2013 otherwise can I get multiple standard certificates for each of the domains to save money?

Hi Paul,
When I change the msstd on the xp outlook profile to match the wildcard cert name of
*.domain.com, I am no longer prompted for a looping outlook password prompts. However autodiscovery changes it back to webmail.domain.com so I can only log into profile only once.

In this week's episode of the Practical 365 podcast, Steve Goodman and Rich Dean are joined by Microsoft's Andy Jaw, a senior security specialist with a fascinating background spanning the military, law enforcement, and now as a cyber security expert.

How to renew a certificate in Exchange Hybrid? You have a new third-party certificate installed on the Exchange Server. Now that you finished that task, you like to remove the old certificate. But you get a message that these certificates are tagged with the Outbound to Office 365 send connector. Why is this happening, and what is the solution?

View the certificates in the MMC snap-in, and delete the invalid certificate in the Personal store. An excellent way to identify the certificate is by checking the Expiration Date.

Another way to renew the Exchange Hybrid certificate is to rerun the Hybrid Configuration Wizard. Connect in the first step with your credentials and go through the setup wizard by clicking the Next button.

You learned how to renew the Exchange Hybrid certificate. Collect the new certificate information and run the commands to set the TLS certificate on the send connector and receive connector. Another way is to rerun the Office 365 Hybrid Configuration Wizard and select the new certificate.

Hi Ali, Thanks for your article, you made the life easier.
I have a hybrid exchange 365, I renewed the exchange on-prem certificate and updated the send/receive connectors, do I need to do anything else on exchange online?

I just renewed my wildcard cert and added IIS and SMTP services to it. I then Reran the HCW, which if I am reading this correctly, means I can just go into Cert Mgr and delete the old cert. Do you have to run the commands to update the send and receive connectors if you run HCW and select the new cert HCW?

Ok question how can I check if the send and receive connector are using the renewed SSL Cert?
Our SSL was renewed back in Nov 2022 and currently mail flow is working fine but when we go to delete this expired SSL we get the same error message as in this post. Now I dont know what process was followed back in Nov as the tech that did the work has left the company.

Is it ok for me to run commands from this post, even if the send connectors are already using the new SSL certificate, this wont break anything? Or becuase mail flow is working between On-Prem and O365 it i safe to just go aheead and delete the expired SSL without running the commands

We are running Exchange Server 2016 and followed these excellent directions. Thank you. One question though is when I run Get-HybridConfiguration the tlscertificate is not updated to the new cert. Is this normal following the update of the connectors without running the HCW?

When rerunning the Office 365 Hybrid Configuration Wizard, all of the settings will remain the same as when it was setup? Just click through it, with the exception of adding the new certificate in the Transport Certificate window?

With regards SSL, do we need to keep the DigiCert webmail certificate once hybrid is gone or can we replace it with one from our own CA? So in essence once we are down to the last server, do we still need external SSL?

Thanks Ali, highest praise!!! All your articles are well researched and quite detailed. These days whenever I need to check sth quickly about exchange, I always look if your website has it covered, no dissapointments ? Keep up good work!

This article explores renewing a third-party certificate in Exchange 2016 CU23 and greater and Exchange 2019 CU12 and greater. This process differs from the older cumulative updates (and Exchange 2013), where renewing a third-party certificate through the Exchange Admin Center (GUI) was still possible.

As mentioned earlier, newer versions of Exchange 2016 and Exchange 2019 require that third-party certificate requests be conducted through PowerShell. Third-party certificate requests can no longer be requested or renewed through the Exchange Admin Center.

First, we need to find the thumbprint of the certificate we plan to renew. To do this, we can run the Get-ExchangeCertificate command and filter the responses to only certificates that are issued by a third-party certificate authority.

This will return all certificates that are not self-signed. In our example, we see just a single certificate returned. This certificate is named mail.exchangeservergeek.com and has a corresponding thumbprint. This is the certificate we will be renewing.

In this command, two things are important. First, you must specify a UNC path to where you want to save the certificate request file. In our example, we saved this to our desktop as a text file named certrequest.txt. The second is what we are exporting into that file. In this case, it is the contents of the variable $certrequest. When you run this command, the file will be created in the specified location.

By running the following command, you will notice we have two certificates with the name mail.exchangeservergeek.com; however, one of these will be in a Pending Request state. The duplicate minimizes downtime for your users because it allows you to process the certificate renewal without affecting the existing certificate.

The specific steps for each certificate provider are different, but the principles remain the same. You provide a certificate request. The provider validates your identity. The provider then issues you a certificate.

First, we need to get the certificate request we created in the previous section. This should have created a file on your desktop (or the path you specified). Open this file with Notepad and copy the entire contents, including the BEGIN and END lines.

At some point, the 3rd party certificate authority will ask you to paste the contents of the CSR file into their system for processing. From this file, the provider will identify all the subject and alternate names you need. Using our previous example, the certificate provider identified we requested both mail.exchangeservergeek.com and autodiscover.exchangeservergeek.com. The validation process will then begin.

The validation process can vary between providers as well. Some providers will perform a simple domain validation where they send an email to the recipients listed on your domain registration. Others will perform more extensive checks, including validating your business against various agencies.

Once your identity has been validated and your certificate approved, download and unpack your certificate. Often providers will ask you what system the certificate is for. If you have the option for Exchange, this will give you the appropriate certificate bundle. You will then be ready to complete your certificate request.

You will notice we have a duplicate of the certificate. The one with the later expiration date (NotAfter column) is your new certificate. In our example above, the thumbprint highlighted in green, with the NotAfter date of 7/15/2024, is our new certificate. The thumbprint highlighted in blue, with the NotAfter date of 7/15/2023, is our current certificate that users are still leveraging.

If you specified SMTP as a service to add to the new certificate, you will be prompted on whether to overwrite the existing default SMTP certificate. Enter Y and press Enter.

The easiest way to check is to enter your URL into a web browser. In our case, we enter This should result in no certificate errors. You can also select the padlock in the address bar and explore the properties of the certificate to verify the updated expiration date and certificate chain.

7fc3f7cf58
Reply all
Reply to author
Forward
0 new messages