Automate Exchange Certificate renewal with Let's Encrypt

Andres Bohren
Automate Exchange Certificate renewal with Let's Encrypt

Hi All,

My old TLS Certificate from GoDaddy has expired a few Days ago. I have already used “Let’s Encrypt” Certificates for Exchange in some Test Environements.

Today i want you to show how to set up initionally and then use a Script to renew the Certificate on a regular basis.

Initial Setup

First of all you need a Client that can handle the “Let’s Encrypt” Certificate Request. There are plenty of alternatives out there. I have decided to use PowerShell Module Posh-ACME.

First you need to Install the PowerShell Module.

Find-Module Posh-ACME
Install-Module Posh-ACME
Get-InstalledModule Posh-ACME

You need to set the Server. “LE_Prod” is setting up for Let’s Encrypt production Environement.

  • LE_PROD (LetsEncrypt Production v2)
  • LE_STAGE (LetsEncrypt Staging v2)
Get-PAServer
Set-PAServer LE_Prod
Get-PAServer

Now we create an Account for the Certificate Request.

New-PAAccount -Contact a.bohren@icewolf.ch -AcceptTOS -KeyLenght 4096

With the following command we request a new Certificate. Initially you have to prove your Domain ownership via a TXT Key.

New-PACertificate mail.icewolf.ch -AcceptTOS -Contact "a.bohren@icewolf.ch" -DnsSleep 15

I was able to create the TXT Record immediately and complete the verification.

If that is not the Case in your environement, you can use “Get-PAOrder” and “Submit-ChallengeValidation”.

Let’s have a look at the Certificate.

Get-PACertificate | fl

We can import the PFX Certificate into the Local Machine Certificate Store.

Import-PfxCertificate -FilePath $Cert.PfxFile -CertStoreLocation Cert:\LocalMachine\My -Password $Cert.PfxPass -Exportable

Let’s connect to Exchange and Enable the new Certificate in Exchange for SMTP and Webserver.

#Connect Exchange
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://icesrv06.corp.icewolf.ch/PowerShell/ -Authentication Kerberos
Import-PSSession -Session $ExSession -DisableNameChecking | Out-Null

#Enable-ExchangeCertificate
Enable-ExchangeCertificate -Thumbprint $Cert.Thumbprint -Services IIS,SMTP -Force

#Remove PSSession
Remove-PSSession $ExSession

Automate Renewal

An unused Certificate needs to be removed. So let’s check how we can figure out the oldest Certificate for a specific Subject.

The Sort-Object will do the trick.

###############################################################################
# List Certificates
###############################################################################
$CertArray = Get-ChildItem cert:\localMachine\my | where {$_.subject -eq "CN=mail.icewolf.ch"}
$CertArray | fl
$CertArray | Sort-Object NotAfter | ft Subject, Thumbprint, NotBefore, NotAfter

I will only need the Thumbprint. So i sort the Result, use the first entry and use the Thumbprint from there.

$CertArray = Get-ChildItem cert:\localMachine\my | where {$_.subject -eq "CN=mail.icewolf.ch"}
$CertArray | Sort-Object NotAfter
$Thumbprint = $CertArray[0].Thumbprint
$Thumbprint

This is the whole Script. As i am in Hybrid with Exchange Online i need to remove the Certificate from the Office 365 Send Connector to be able to remove the Certificate in Exchange. After the old Certificate has been removed i can add the Certificate back to the Office 365 Send Connector.

Be aware that it does not contain any Error Handling nor Notifications.

###############################################################################
# Submit-Renewal
###############################################################################
Import-Module Posh-ACME

#Renew Certificate
Submit-Renewal mail.icewolf.ch -NoSkipManualDns -Force
$Cert = Get-PACertificate

#Import PFX to LocalMachine Certificate Store
Import-PfxCertificate -FilePath $Cert.PfxFile -CertStoreLocation Cert:\LocalMachine\My -Password $Cert.PfxPass -Exportable

#Connect Exchange
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://icesrv06.corp.icewolf.ch/PowerShell/ -Authentication Kerberos
Import-PSSession -Session $ExSession -DisableNameChecking | Out-Null

#Enable-ExchangeCertificate
Enable-ExchangeCertificate -Thumbprint $Cert.Thumbprint -Services IIS,SMTP -Force

#Remove the Certificate from O365 Send Connector
Set-SendConnector -Identity "Outbound to Office 365 - bf13fea0-cf38-46f6-bab7-f8553f07f3dc" -TlsCertificateName $Null

#Remove Old Certificate
$CertArray = Get-ChildItem cert:\localMachine\my | where {$_.subject -eq "CN=mail.icewolf.ch"}
$CertArray = $CertArray | Sort-Object NotAfter
$Thumbprint = $CertArray[0].Thumbprint
Remove-ExchangeCertificate -Thumbprint $Thumbprint -Confirm:$false

#Set Certificate for O365 Send Connector
$ExCert = Get-ExchangeCertificate -Thumbprint $Cert.Thumbprint
$tlscertificatename = "<i>$($ExCert.Issuer)<s>$($ExCert.Subject)"
Set-SendConnector -Identity "Outbound to Office 365 - bf13fea0-cf38-46f6-bab7-f8553f07f3dc" -TlsCertificateName $tlscertificatename

#Remove PSSession
Remove-PSSession $ExSession

This is the Result in Exchange

Regards
Andres Bohren

Exchange Logo

Security Logo