Tuesday, May 6, 2014

Exchange 2013 (SP1) - Migration - Part 5 - Certificates

The Exchange Server Deployment Assistant (ESDA) has been my guide for much of this migration. On the subject of certificates, the ESDA explains how to request a certificate from a 3rd party certificate authority, install the certificate on the Exchange 2013 server, export it and finally import it on the Exchange 2007 server.

Since I already have a certificate for the Exchange 2007 server, I will proceed somewhate differently. I will leave the certificate enabled on the Exchange 2007 server but export it and then import it on the Exchange 2013 server.

At this point, I want to specify something important...

If the migration will be gradual, the mailboxes being moved from the Exchange 2007 server to the 2013 server over time, we need to create a DNS record such as legacy.contoso.com and this name must be on the certificate (this was explained in greater detail in a previous post). In my case, the few mailboxes I have will be moved at once. There is no need then for a certificate including "legacy.contoso.com".

So, in summary, I will use my existing certificate (exported from the Exchange 2007 server and imported to the Exchange 2013 server) and will not configure a DNS reocrd for legacy.mitserv.net or request a new certificate with this name.

So, having clarified my procedure, I will start with the export of the existing certificate, already installed on the Exchange 2007 server.

We identify the certificate by the thumbprint. We obtain the thumbprint with the command "Get-ExchangeCertificate". This command lists the Exchange certificates installed on the server. In my case, I believe the certificate with the thumbprint "EC523xxxxxxxx" (abbreviated for simplicity) is the one I want. Using the format-list cmdlet (below - slightly edited), I verify the dates and the names on the certificate.

[PS] C:\>Get-ExchangeCertificate EC523xxxxxxxx | fl

CertificateDomains : {mail.mitserv.net, www.mail.mitserv.net, autodiscover.mitserv.net, mitserv.net}
HasPrivateKey      : True
IsSelfSigned       : False
NotAfter           : 3/8/2015 10:32:06 PM
NotBefore          : 3/8/2014 9:32:06 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2B5xxxxxxxxx
Services           : IMAP, POP, IIS, SMTP
Status             : Unknown
Subject            : CN=mail.mitserv.net, OU=Domain Control Validated
Thumbprint         : EC523xxxxxxxxx

Using the thumbprint above, I export the export with the following cmdlet:

[PS] C:\>Export-ExchangeCertificate -Thumbprint EC523xxxxxxxx -BinaryEncoded:$true -Path C:\Cert-Export\export2013.pfx -Password (Get-Credential).Password

I then move the file to the Exchange 2013 server (I will not explain how to do this, of course. You can use a mapped network drive, a flash drive, and external hard drive, or whatever method your prefer).

So now, the exported certificate should be available for import on the Exchange 2013 server.

Before importing the certificate however, I have to import an intermediate certificate into the machine store on the Exchange 2013 server. 

Let me attempt to explain this. Very often, the root certificate authority does not issue certificates to customers directly. Instead they issue intermediate certificates to intermediate authorities that in turn issue certificates to their clients, such as myself. When certificates are used to authenticate a website (and provide the basis for the encryption that secures communication with it), there must be a verifiable "certificate chain" from the certificate issued to the client, the intermediate certificate and then the root certificate.

So, in my case, this mean I need to install the intermediate certificate and then the certificate issued to me, or my organization.

Note: any more detail on this process would be beyond the scope of this post, and in particular the certificate revocation process implying some sort of connectivity with the certificate authorities involved and the caching of any certification revocation lists.

At this point, I have the certificate for my organization on the Exchange 2013 server as well as the intermediate certificate. From where did I obtain the intermediate certificate? It was downloaded to the Exchange 2007 server when I originally purchased the certificate for my organization. Like that certificate, I copied it to the Exchange 2013 server.

So, "with no further ado" (with no further delay), we'll now import the intermediate certificate and the certificate for my organization (mitserv.net).

First, we open a Microsoft Management Console (MMC) and add the "Certificate Manager" snapin. Make sure it is for the "Local Computer" rather than the User. We then open the Certificate Manager and navigate to the "Intermediate Certification Authorities" folder:

Right click on the folder, select "All Tasks" and then "Import".

Note: in the following steps, click "Next" and "Finish" as needed.

Browse to the location of the intermediate certificate:

Place the intermediate certificate in the corresponding store:

Once the intermediate certificate has been installed, we can import the certificate for the organization, exported from the Exchange 2007 server earlier.

This is the command we use to import the certificate exported from the Exchange 2007 server:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certs\export2013.pfx
-Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

I use the Get-ExchangeCertificate cmdlet to identity the various certificates (expired and current) that I have on the server and then, locating the one I intend to use (looking at the expiration dates), I enable it with the following cmdlet:

[PS] C:\>Enable-ExchangeCertificate -thumbprint EC523xxxx -Services "IIS,SMTP"

Overwrite the existing default SMTP certificate?

Current certificate: '3366Axxxxxx' (expires 4/28/2019 7:31:12 PM)
Replace it with certificate: 'EC523xxxxx' (expires 3/8/2015 10:32:06 PM)

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A

No comments:

Post a Comment