Hi,
Is there any documentation or has anyone successfully deployed CTW in an Exchange hybrid environment? Since the certificate is bound to the send connector, is it possible to automatically update this binding each time Certify auto-renews the certificate?
Thanks
We don’t have a guide for that ourselves (we’re not really exchange administrators) but if you can script it with powershell you can generally make it happen Scripting | Certify The Web Docs
Sometimes permissions/auth can be tricky but at the worst (but arguably more flexible) case you can export the PFX file to a pick up folder and have a windows scheduled task run a script regularly, that script can then run if it sees the file, then remove the file when it’s done (or you can run the script during maintenance windows).
Hi,
I know this is a year down the track, but I hope this helps anyone else who needs. Figured it might be worthwhile even at the risk of reviving an old thread.
You will need to change Certify to run as a service account so it can create the PS Session (I did not have any luck with this working using Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010)
Andy
param($result)
#Log file location
$LogFile = “C:\Scripts\Update-ExchangeSendConnector.log”# Send connector $outConnectorName = "Outbound to Office 365 - xxxxxx-xxxxx-xxxx-xxxx-xxxxxxx" # Recieve Connector $inConnectorName = "Default Frontend SVR-01" # Exchange Server Name $servername = "SVR-01"function Write-Log {
param([string]$Message)
$timestamp = (Get-Date).ToString(“yyyy-MM-dd HH:mm:ss”)
$entry = “$timestamp - $Message”
Write-Host $entry
Add-Content -Path $LogFile -Value $entry
}Write-Log “==== Script started ====”
try {
if (-not $result -or -not $result.ManagedItem.CertificateThumbprintHash) {
throw “Certify result object or thumbprint is missing.”
}$Thumbprint = $result.ManagedItem.CertificateThumbprintHash.Replace(" ", "").ToLower() Write-Log "Using certificate thumbprint: $Thumbprint" # Create powershell session $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$servername/PowerShell/ -Authentication Kerberos Import-PSSession $Session # Get certificate $cert = Get-ExchangeCertificate -Thumbprint $Thumbprint -ErrorAction Stop Write-Log "Certificate Thumbprint: $($cert.Thumbprint)" # Form Certificate name $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" Write-Log "TLS Certificate Name: $TlsCertificateName" # Set Send and Recieve connector to a temp cert as you can't replace with the same certificate name $tempcert = Get-ExchangeCertificate -Thumbprint ae44f480380e00d2929102b61efc87f36274da51 $temptlscertificatename = "<i>$($tempcert.Issuer)<s>$($tempcert.Subject)" Set-SendConnector $outConnectorName -TlsCertificateName $temptlscertificatename -ErrorAction Stop Set-ReceiveConnector $inConnectorName -TlsCertificateName $temptlscertificatename -ErrorAction Stop # Set to real certificate Set-SendConnector $outConnectorName -TlsCertificateName $TlsCertificateName -ErrorAction Stop Set-ReceiveConnector $inConnectorName -TlsCertificateName $TlsCertificateName -ErrorAction Stop # Enable for SMTP Enable-ExchangeCertificate -Thumbprint $Thumbprint -Services SMTP Restart-Service MSExchangeTransport Restart-Service MSExchangeFrontEndTransport Write-Log "Successfully updated Send Connector"}
catch {
Write-Log “ERROR: $_”
throw
}Write-Log “==== Script finished ====”
Thanks, note that running certify as another account comes with the caveat that any Windows DAPI operations (encryption of stored credentials like ACME accounts and DNS credentials) will reset, and in 6.x when you run an update the service will reset to Local System and you must set it back manually. In 7.x we now leave the service in place so the selected service account persists (and you can install without starting the service, giving you a chance to set the preferred account).
Did you try this script with Launch as New Process? That works differently to the in-process powershell hosting (6.x runs PS 5.1 in process, 7.x currently runs PS 7.x in process).