![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
Exchange Version 2010
1) Prepare .pfx file
pfx = crt + key + ca-bundle
2) Import to Exchange
Exchange Management Console > Server configuration > "Import Excahnge Certificate..."
OR
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\p7-xxxxxxxxx-yyyy.p7b -Encoding byte -ReadCount 0))
3) Get the "Thumbprint" number of your certificate with the command:
Get-ExchangeCertificate | fl
AccessRules : ...
CertificateDomains : {*.DOMAIN, DOMAIN}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Sectigo RSA Domain Validation Secure
ter, C=GB
NotAfter : 12/12/2023 7:59:59 AM
NotBefore : 11/11/2022 8:00:00 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : ...
Services : IIS, SMTP
Status : Valid
Subject : CN=*.DOMAIN
Thumbprint : ...4) Activate your certificate on services:
# 此方法只適用於 Single Domain Certificate
Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
5) 測試 587, IMAP, POP3
提取 service 用緊的 crt
remote=R.R.R.R
# OpenSSL 1.1.1k FIPS 25 Mar 2021
openssl s_client -tls1 -connect $remote:587 -starttls smtp > tmp.txt < /dev/null # smtp
openssl s_client -tls1 -connect $remote:993 > tmp.txt < /dev/null # imaps
openssl s_client -tls1 -connect $remote:995 > tmp.txt < /dev/null # pop3s
Decode crt
openssl x509 -noout -text -in tmp.txt | less
Wildcard SSL Certificate
Enable-ExchangeCertificate -Thumbprint ? -Services POP
Enable-ExchangeCertificate -Thumbprint ? -Services IMAP
Enable-ExchangeCertificate -Thumbprint ? -Services IIS
Enable-ExchangeCertificate -Thumbprint ? -Services None
WARNING: This certificate with thumbprint ? and subject '*.datahunter.org' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
Set FQDN for POP service to fix the error:
[PS]> Set-POPSettings -X509CertificateName mail.datahunter.org
[PS]> Set-IMAPSettings -X509CertificateName mail.datahunter.org
# Check X509CertificateName
[PS]> Get-POPSettings
UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName
------------------------ ----------- --------- -------------------
{:::110, 0.0.0.0:110} {:::995, 0.0.0.0:995} SecureLogin mail.datahunter.org[PS]> Get-IMAPSettings
# Restart Service
[PS]> Restart-service MSExchangePOP3
[PS]> Restart-service MSExchangeIMAP4
[PS]> Restart-service MSExchangeMailSubmission
Update SSL Certificate
A certificate with the thumbprint ... already exists
MMC snap-in "Certificates" (Local Computer) to remove the first certificate from location "Personal/Certificates"
Exchange Version 2007
# Import the SSL Certificate
Import-ExchangeCertificate -Path C:\mydomain.cer
# Enable SSL on SMTP, IMAP, POP, IIS Service
Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
OR
Enable-ExchangeCertificate -Thumbprint thumbprint -Services "SMTP,IMAP, POP, IIS"
# To verify that your certificate is running and enabled run the command:
Get-ExchangeCertificate -DomainName server.domain.com
