Renew certificate on Exchange 2010

SSL-padlock

 

The last day before a week of to Spain with the family the boss booked me to consult her on renewing the certificate on our exchange-servers. With little time and no will to work on my vacation, I threw together this script so that she could perform the task herself.

#-------------------------------------------------------------
#NAME: new_cert_exchange2010.ps1
#AUTHOR: Viktor Lindström
#
#COMMENTS: Renew SAN-cert in exchange 2010
#-------------------------------------------------------------

# Create request and put the request file in c:\temp\2014.req
$gen = Get-ExchangeCertificate -Thumbprint 'active cert thumbprint' | New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable $true
Set-Content -path "c:\temp\2014.req" -Value $gen

#send content in file to external CA

# Import certificate, on the sam server that created the request.
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\temp\frånCA.cer -Encoding Byte -ReadCount 0))

# Check thumbprint on new certificate, the latest not after is the new one.
Get-ExchangeCertificate | select notafter, thumbprint

# Export certificate, run on the server that the certificate is installed on, on thumbprint paste thumbprint from last script-line.
$ExportCert = Export-ExchangeCertificate –Thumbprint 'thumbprint' -BinaryEncoded:$true –Password (Get-Credential).Password
Set-Content –Path C:\temp\2014.pfx –Value $ExportCert.FileData –Encoding Byte

# Import certificate, run on all other exchange-servers that hosts client access.
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certif\2014.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

# Activate the new certificate, run on all exchange-servers with the new certificate, same thumbprint as earlier. 
Get-ExchangeCertificate -Thumbprint 'Thumbprint' | Enable-ExchangeCertificate -Services IMAP,POP,IIS,SMTP

# Check if the certificate is enabled.
Get-ExchangeCertificate | where-object {$_.status -eq "valid" -and $_.services -like "*iis*"} | select notafter, friendlyname