21 May 2014

New-exchangecertificate for Exchange EDGE 2010

Do this after office hours or in a service window, because the risk exists that mail flow may come to a halt because the edgesync subscription certificate don't match anymore. I found out the hard way.

Generate a new certificate request:

$data = New-ExchangeCertificate -GenerateRequest -SubjectName "cn=mx03.domain.com" -domainname mx03.domain.com, sr-XXXXX.domain.lan, sr-XXXXX -friendlyname mx03.domain.com -PrivateKeyExportable $true
Set-Content -Path "c:\Temp\mailcert.req" -Value $Data

Import the request into the PKI website http://servername/certsrv

Request a new Certificate

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file

Enter the request code and press Submit

On the PKI environment Issue the requested certificate and export the new certificate.

On the EDGE server copy the certificate to a folder.

To import the certificate in Powershell:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\ExportedCert.cer -Encoding byte -ReadCount 0))

Check the thumbprint to use in the next commandlet:

Get-exchangecertificate | fl

Use the thumbprint in the following line:

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72XXXXXXXXXXXXXXXX8675333d010e -Services SMTP

Then recreate the EdgeSync Subcription

new-edgesyncsubcription -filepath "C:\temp\filename.xml"

Export the XML file to your CAS server and create a new Edgesync subscription.

The problem right now is we do not refresh the certificate used by ADAM when issue a new subscription, so if you have created a new certificate, we keep presenting the old one. Ok, so here's what you need to do to get ADAM to present the new one:
1. On the Hub, Remove the Subscription
2. On the Edge, Remove the cert used by ADAM to establish secure
connections. You can do this by following the following steps:
  • a. Open up an empty mmc console (Run -> mmc)
  • b. Select File -> Add / Remove Snap-in
  • c. Hit Add
  • d. Select "Certificates" from the List of Snap-Ins available, and
  • hit Add.
  • e. Select "Service Account" on the "Certificates Snap-In" page,
  • click next.
  • f. Select "Local Computer" on the "Select Computer" page, click
  • next.
  • g. Select "Microsoft Exchange ADAM" from the list of services,
  • click Finish.
  • h. Close the "Add Snap-in" dialog.
  • i. Navigate to "Certifcates – Service" ->
  • "ADAM_MSExchange\Personal" -> Certificates
  • j. You should see a single certificate here. Remove it.
3. On the Edge, Unsubscribe, then create a new subscription file
(you should see a new certificate show up at this point on the ADAM cert container from the step above) by calling new-edgesubscription
New-EdgeSubscription -FileName "Path to file".xml
4. Re-start the "Microsoft Exchange ADAM" service.
5.Export the file to the Hub server.
6.On the Hub server import the new subscription.
7.Create a new Edge subscription in the EMC

Then you have to wait a few minutes.

To check if synchronization works run;


No comments:

Post a Comment