Exchange Server certificate changes

 Thank to: https://www.alitajran.com/

Exchange Server certificate changes

    To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).

Table of contents

UNC path inputs not usable

To prevent misuse of UNC paths by attackers, parameters that take UNC paths as inputs will no longer be usable in:

  1. Exchange Admin Center
  2. Exchange Server PowerShell cmdlets

These certificate changes are available in the latest Exchange Server updates:

Exchange Admin Center certificate changes

The following certificate functionality in Exchange Admin Center is removed after upgrading to Exchange Server 2019 CU12 and later and Microsoft Exchange Server 2016 CU23 and later:

  1. Import & Export Exchange Certificate removal
  2. Complete Exchange Certificate Request removal
  3. New Exchange Certificate Request from CA removal
  4. Renew Exchange Certificate Request removal

In the previous versions of Exchange Server, there was an option to import or export the Exchange certificate through Exchange Admin Center.

Exchange Server certificate management changes before

The option to import or export the Exchange certificate through Exchange Admin Center is removed. Instead, you must now use PowerShell cmdlets to import or export the Exchange certificate.

Exchange Server certificate management changes after

Exchange Server PowerShell cmdlets certificate changes

The FileName and RequestFile parameter that takes the UNC path as input is removed from Exchange Server PowerShell cmdlets after upgrading to Exchange Server 2019 CU12 and later and Microsoft Exchange Server 2016 CU23 and later.

The below articles are up to date with the certificate changes. You can follow them to create, renew, import, and export Exchange Certificates:

  1. New-ExchangeCertificate
  2. Import-ExchangeCertificate
  3. Export-ExchangeCertificate

Install Exchange certificate with PowerShell

How to install Exchange certificate with PowerShell? You already have a certificate and you want to install it in Exchange Server. This means that you need to import the certificate in Exchange Server. After the certificate import, assign the certificate to the Exchange services. In a previous article, we showed how to import certificate in Exchange Admin Center. In this article, you will learn how to install Exchange certificate with PowerShell.

Do you have more than one Exchange Server running in the organization? You can use the same certificate for other Exchange Servers.

Table of contents

Install Exchange certificate with PowerShell

Before we start, place the Exchange certificate in a shared folder. Make sure to assign permissions to the folder. For example, the SYSTEM account. If you don’t give permission, you cannot import the certificate, and an error will show up.

Install Exchange certificate with PowerShell

Run Exchange Management Shell as administrator. Run the Import-ExchangeCertificate cmdlet, including the -FileName parameter, to install the Exchange certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileName "\\ex01-2016\certs\ExchangeCert.pfx" -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......    CN=mail.exoip.com

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). Read more in the article Exchange Server certificate changes.

The -FileName parameter is not available since Exchange Server 2016 CU23 and Exchange Server CU12. Use the -FileData parameter to import the certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......    CN=mail.exoip.com

The certificate is imported successfully with PowerShell.

Note: The certificate is not yet assigned to Exchange services. You can see that from the dots (…….) in the column Services.

Assign certificate to the Exchange Server services

If the certificate is not assigned to the Exchange Server services, it will do nothing. Assign the certificate with the Enable-ExchangeCertificate cmdlet and the -Services parameter. After running the cmdlet, press Y and press Enter.

[PS] C:\>Enable-ExchangeCertificate -Server "EX01-2016" -Thumbprint 0C4C00B76EB7DB236573BF79258888D32C9B753D -Services SMTP,IMAP,IIS

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: '9BC8DF0DC366A87E2D397DD4CD328D91533346D2' (expires 6/6/2025 8:00:12 PM)
Replace it with certificate: '0C4C00B76EB7DB236573BF79258888D32C9B753D' (expires 9/3/2020 6:22:51 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Verify assigned Exchange certificate

Run Get-ExchangeCertificate cmdlet to verify the assigned services.

Do you like to know more about which certificates are installed on the Exchange Server? Read Get Exchange certificate with PowerShell.

[PS] C:\>Get-ExchangeCertificate -Server "EX01-2016" | select Thumbprint, Services, NotAfter, Subject, CertificateDomains


Thumbprint         : 0C4C00B76EB7DB236573BF79258888D32C9B753D
Services           : IMAP, IIS, SMTP
NotAfter           : 9/3/2020 6:22:51 PM
Subject            : CN=mail.exoip.com
CertificateDomains : {mail.exoip.com, autodiscover.exoip.com}

The certificate is installed in Exchange Server and everything looks great. We can see the certificate assigned to the Exchange services IMAP, IIS, and SMTP.

Did this article help you to import and assign the Exchange certificate with PowerShell?

Conclusion

You learned how to install Exchange certificate with PowerShell. First, import the certificate in Exchange Server. After that, assign the certificate to the Exchange services.

I hope you enjoyed this article. You may also like Update .NET Framework in Exchange Server. Don’t forget to follow us and share this article.

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Configuración de Hairpin NAT (VIP)

Imagen
 Thank to: https://fortixpert.blogspot.com/ Este artículo describe cómo configurar FortiGate para Hairpin con el uso de set match-vip y match-vip-only. En este escenario, tanto el PC como el Servidor están detrás de FortiGate y el PC quiere conectarse al Servidor apuntando a su dirección externa (92.0.2.10) en lugar de la real (10.10.10.10). Esto se llama Hairpin NAT. Solución : La solución dependerá de cómo sea el objeto IP Virtual (VIP). Solución 1 : La interfaz externa en el VIP está configurada a una interfaz particular (en este caso a wan1) #config firewall vip     edit "VIP"         set extip 92.0.2.10         set extintf 'wan1'         set mappedip 10.10.10.10     next end Nota: En este escenario, la IP externa VIP puede ser la misma que la IP de la interfaz (es decir, 92.0.2.2) Se necesitan dos políticas: 1) Una política de entrada con ...
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BA...
Leer más

Deshabilitar los métodos HTTP peligrosos como PUT, DELETE y TRACE en Nginx

Imagen
  🔧 Paso 1: Editar el archivo de configuración de Nginx Objetivo: Configurar el servidor Nginx para que rechace solicitudes HTTP que usen los métodos PUT, DELETE y TRACE, devolviendo un código de estado 405 (Method Not Allowed) . ¿Por qué hacerlo? Por razones de seguridad . Algunos métodos HTTP como PUT , DELETE y TRACE pueden representar riesgos si no son utilizados correctamente. Si tu aplicación no los necesita, es recomendable deshabilitarlos. Instrucciones: Abre el archivo de configuración de Nginx. Generalmente se encuentra en: /etc/nginx/nginx.conf O también puede estar dentro del directorio: /etc/nginx/sites-available/ dependiendo de cómo esté estructurada tu instalación. Busca la sección que tenga location / { ... } o agrégala dentro del bloque server { ... } . Dentro de ese bloque, agrega las siguientes condiciones: location / { if ($request_method = PUT) { return 405; } if ($request_method = DELETE) { return 405; } ...
Leer más