Microsoft Exchange 2016/2019 Replacing Certificate if Issuer and Subject Same as Old Certificate

by

Here’s an interesting one I came across today, there exists a problem whereby replacing a certificate on a Microsoft Exchange 2016 or 2019 won’t work if the Issuer and Subject of the new certificate happen to be the same as the old certificate (you are trying to replace). You’d expect most likely that when you are replacing a certificate that the Subject will be the same as the old certificate, and unless you are swapping to a new provider (of certificates), the Issuer name will also be the same.

In my earlier article: https://geekmungus.co.uk/?p=4751 I explained how to replace certificates on Microsoft Exchange, however within this process if the certificate you are attempting to replace has the same Issuer and Subject as your new certificate (could be quite likely), you’ll get a message such as:

[PS] C:\Windows\system32>Set-SendConnector "Outbound to Office 365 - 1234345-3cd0-49d6-b8d7-a4baf80d9b37" -TlsCertificateName $TLSCertName
WARNING: The command completed successfully but no settings of 'Outbound to Office 365 - 1234345-3cd0-49d6-b8d7-a4baf80d9b37' have been modified.

Essentially, this is saying I can’t replace the certificate with a new one because its the same as the old one. The logic does not have the ability to work out they are different certificates, even if they are!

$TLSCert = Get-ExchangeCertificate -Thumbprint "91FADC8C3B133EE2103A2A023A83C99ABB4212D1"
$TLSCertName = "<i>$($TLSCert.Issuer)<s>$($TLSCert.Subject)"
$TLSCertName
<i>CN=R13, O=Let's Encrypt, C=US<s>CN=owa.mydomain.com

$TLSCert = Get-ExchangeCertificate -Thumbprint "85243ECF2248D8C12354DB77DA9F0C1453CFE606"
$TLSCertName = "<i>$($TLSCert.Issuer)<s>$($TLSCert.Subject)"
$TLSCertName
<i>CN=R13, O=Let's Encrypt, C=US<s>CN=owa.mydomain.com

Resolution

To resolve this you should read this document in conjunction with the earlier article: https://geekmungus.co.uk/?p=4751, but essentially you’ll need to follow this process if your Issuer and Subject are the same on the new certificate as they are on the old certificate.

  1. Create a self-signed temporary certificate (if you do not already have one) – see step 3 for details.
  2. Swap all Exchange services to use this temporary certificate: POP,IMAP,IIS,SMTP on all Exchange Servers.
  3. Swap Outbound to Office 365 Send Connector to use this temporary certificate. (Global)
  4. Swap Recieve Connectors on all Exchange Servers to use this temporary certificate.
  5. Import new target certificate to all Exchange Servers.
  6. Swap all Exchange services to use your new target certificate: POP,IMAP,IIS,SMTP on all Exchange Servers.
  7. Swap Outbound to Office 365 Send Connector to use this new target certificate. (Global)
  8. Swap Recieve Connectors on all Exchange Servers to use this new target certificate.
  9. Verify all is working as expected.

Create/Clone the Legacy Certificate to Create Temporary Certificate

We are going to create a Temporary Certificate by cloning the Legacy Certificate, and genreate a new Temporary Certificate but as a self-signed certificate, with the same attributes, but a much longer expiry date, thus ensuring the Issuer and Subject are different for later on in the process. It doesn’t matter that it is self-signed because its only temporary and isn’t really user facing in a way that they would care.

https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2016-ps

Get a value for 5 years in the future into a variable with the DateTime object.

$today = Get-Date $futureDate = $today.AddYears(5)

Now you need to create/clone the Temporary Certificate with:

PS C:\> Set-Location -Path "cert:\LocalMachine\My" PS Cert:\LocalMachine\My> $OldCert = (Get-ChildItem -Path 91FADC8C8B133EE2103A2A023A83C99ABB4212D1) PS Cert:\LocalMachine\My> New-SelfSignedCertificate -CloneCert $OldCert -NotAfter $futureDate

You should get an output like the following:

[PS] Cert:\LocalMachine\My>New-SelfSignedCertificate -CloneCert $OldCert -NotAfter $futureDate PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ---------- ------- 85243ECF2258D8C12354DB77DA9F0C1453CFE606 CN=email.sanger.ac.uk

Take a note of the thumbprint, we’ll need that for later steps in the process.

Export, then Import Temporary Certificate to all Exchange Servers

You first need to export this certificate to pkcs12 (pfx) file, its easiest to do this from MMC Certificate Snap-In. 

1. Find the certificate, right click “Export”.

2. Export as PKCS12, and within the wizard use the following settings:

  • include all certificates in the certiifcate path if possible = ticked
  • delete the private key if the export is successful = not ticked
  • export all extended properties = ticked
  • enable certificate privacy = not ticked

3. You have to set a password to continue.

4. Set the filename as something like: temporary.pfx.

5. Now copy this file to all the other Exchange servers, so it is ready for import.

6. Using the MMC Certificate, now import the certificate from the temporary.pfx into the Computer personal store, along with your old certificate(s) and where your target certificate will end up.

7. Update the “Friendly Name” on the certificate to something easily identifiable, e.g. “Temporary Certificate”, you’ll not want to accidently apply this at some later date.

Apply New Target Certificate to all Services Except SMTP

We now need to assign the New Target Certificate to Exchange, the command needs to be run on each Exchange server individually to assign the new certificate and replace the Legacy Certificate for the specific services, POP, IMAP, IIS (HTTP/HTTPS) but not SMTP.

Enable-ExchangeCertificate -Thumbprint "7A46B8F6DDB3F258A498F78A9C3280ECE2E9D847" -Services POP,IMAP,IIS -Server SERVER1
Enable-ExchangeCertificate -Thumbprint "7A46B8F6DDB3F258A498F78A9C3280ECE2E9D847" -Services POP,IMAP,IIS -Server SERVER2

Apply Temporary Certificate to only SMTP

We’ll now apply the Temporary Certificate to SMTP service as follows:

Enable-ExchangeCertificate -Thumbprint "85243ECF2257D8C12354DB77DA9F0C1453CFE606" -Services SMTP -Server SERVER1
Enable-ExchangeCertificate -Thumbprint "85243ECF2257D8C12354DB77DA9F0C1453CFE606" -Services SMTP -Server SERVER2

Microsoft Exchange Server – SMTP Send and Receive Connectors

Now we can replace the certificates on the SMTP service and the connectors with our temporary one, once that is done we can remove the legacy certificate and then apply the new one!

Set TLSCertName Variable for Temporary Certificate

Get hold of the thumbprint from the GUI.

$TLSCert = Get-ExchangeCertificate -Thumbprint "7A4648F6DDA3F258A498F78A9C3280ECE2E9D847" $TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"

Set TLS Certificate the Temporary Certificate on Send Connector (Microsoft 365 – Outbound to Office 365 – 47b7454e-3cd0-49d6-b8d7-a4baf80d9b37)

The Send Connector called “Outbound to Office 365 – 47b7454e-3cd0-49d6-b8d7-a4baf80d9b37” is used to send emails to mailboxes hosted in Microsoft 365, it is a scoped send connector, which means only emails to particular domains (i.e. those within the Exchange organisation) will use it. The connector is considered “global”, i.e. they are not server specific and apply to all routing in the Exchange organisation.

Set-SendConnector "Outbound to Office 365 - 47b7454e-3cd0-49d6-b8d7-a4baf80d9b37" -TlsCertificateName $TLSCertName

Configure Temporary Certificate on Receive Connectors

Now we have all the names of the receive connectors, we update the Temporary Certificate on all of these by running the following commands, these commands can be run from one Microsoft Exchange Server.

Set-ReceiveConnector "WTGC-EXCH-1601A\Default Frontend WTGC-EXCH-1601A" -TlsCertificateName $TLSCertName
Set-ReceiveConnector "WTGC-EXCH-1601B\Default Frontend WTGC-EXCH-1601B" -TlsCertificateName $TLSCertName

Delete Legacy Certificate from all Exchange Servers

Now delete the Legacy Certificate which poses a problem due to its Issuer and Subject being the same as the New Target Certificate‘s Issue and Subject, from each Microsoft Exchange Server, which therefore blocks replacement!

It is recommended to delete this certificate via the MMC Certificate Snap-in. 

Find the relevant certificate, right click, then delete.

There should be no effect to running services because this certificate is not in use.

Apply New Target Certificate to only SMTP

We’ll now apply the New Target Certificate to SMTP service as follows:

Enable-ExchangeCertificate -Thumbprint "91FADC8C4B133EE2103A2A523A83C99ABB4212D1" -Services SMTP -Server SERVER1
Enable-ExchangeCertificate -Thumbprint "91FADC8C4B133EE2103A2A523A83C99ABB4212D1" -Services SMTP -Server SERVER2

Set TLSCertName Variable for New Target Certificate

Get hold of the thumbprint from the GUI.

$TLSCert = Get-ExchangeCertificate -Thumbprint "91FADC8C4B133EE2103A2A523A83C99ABB4212D1" $TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"

Set New Target Certificate (TLS) on Send Connector (Microsoft 365 – Outbound to Office 365 – 12345676-3cd0-49d6-b8d7-a4baf80d9b37)

The Send Connector called “Outbound to Office 365 – 12345676-3cd0-49d6-b8d7-a4baf80d9b37” is used to send emails to mailboxes hosted in Microsoft 365, it is a scoped send connector, which means only emails to particular domains (i.e. those within the Exchange organisation) will use it.

The connector is considered “global”, i.e. they are not server specific and apply to all routing in the Exchange organisation.

Set-SendConnector "Outbound to Office 365 - 12345676-3cd0-49d6-b8d7-a4baf80d9b37" -TlsCertificateName $TLSCertName

Now the certificate has been replaced on the Send Connector used to send to Microsoft Exchange Online (M365) and outbound email should now be following OK.

Configure New Target Certificate (TLS) on Receive Connectors

Now we have all the names of the recieve connectors, we update the New Target Certificate on all of these by running the following commands, these commands can be run from one Microsoft Exchange Server, but will apply to all Exchange Servers.

Set-ReceiveConnector "WTGC-EXCH-1601A\Default Frontend WTGC-EXCH-1601A" -TlsCertificateName $TLSCertName Set-ReceiveConnector "WTGC-EXCH-1601B\Default Frontend WTGC-EXCH-1601B" -TlsCertificateName $TLSCertName

Verify Mail Flow

You have completed the steps to configure the New Target Certificate, now ensure that the following is working:

  • Inbound email flow from Microsoft 365 Exchange Online.
  • Outbound email flow from Microsoft 365 Exchange Online.
  • User access to on-premise Exchange via Outlook Client(s), IMAP(S), SMTP(S) and OWA.

Leave a comment