Getting certificate on other Exchange DAG nodes?

Is there a way to get a certificate onto a secondary server. This is a 2 node Exchange DAG, and the second node needs the certificate installed, as well, in case there is a fail-over and it takes over servicing client connections.

I’m thinking there may be a way to script it somehow?


The easiest method, if your setup allows it is to use the Deploy to CCS task to a share or UNC path then configure Central Certificate Store. Alternatives would include things like a simple file copy to the other server, then run a script there during the usual maintenance window.

Our standard exchange script (customised for running via certify) is:

param($result, $services, [switch] $cleanupPreviousCerts = $false)

# enable powershell snap-in for Exchange 2010 upwards
Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010

Write-Host "Enabling Certificate for Exchange services.."
# tell Exchange which services to use this certificate for, force accept certificate to avoid command line prompt
Enable-ExchangeCertificate -Thumbprint $result.ManagedItem.CertificateThumbprintHash -Services $services -Force -ErrorAction Stop

Write-Host "Certificate set OK for services."

if ($cleanupPreviousCerts -eq $true)
	Write-Host "Cleaning up previous certs in Exchange"
	Get-ExchangeCertificate -DomainName $Certificate.Subject.split("=")[1] | Where-Object -FilterScript { $_.Thumbprint -ne $NewCertThumbprint} | Remove-ExchangeCertificate -Confirm:$false

Hi, webprofusion,

I was initially thinking I’d end up using PowerShell to export the certificate from the node that’s running Certify The Web, then having the other DAG node use PowerShell to install and enable it.

Your script gives me some hints in that direction. I imagine there’s going to be a bit more scripting to get the export and import part done - unless I’m missing something in your script. It appears to just enable a certificate that has already been copied and installed, then clean up old certificates. It’s a start though - and I appreciate the help. :slight_smile:

Just use the built in CCS export task to do the file copy, it doesn’t matter if you’re not really using CCS.

Ok. Let me give that a go. CCS is new to me, so I’ll have to fiddle around with it. Thanks for the point in the right direction. :smiley:

Cool, let me know if you need more info on the Certify side, I’m not a PowerShell guru but I can usually help.

Thanks so much. :slight_smile: I’m working on it all right now. I’ll make it work! :smiley:

That’s the spirit! If you don’t go the full CCS route you’ll need to import the pfx into the certificate store of the target machine, get the thumbprint of the cert then script the update to exchange to use that cert thumbprint.

I’m not an Exchange admin and have only ever set it up on one machine, so my advice may be flawed.

That’s kind of the approach I’m taking. A PowerShell script that will grab the thumbprint, export the certificate on exchange1 and import it on exchange2, then enable it on exchange2. I’m about 25% of the way there. :slight_smile:

Ok, note that the Scripting task or the CCS task can be used to do some of the work for you, you shouldn’t need to look up the cert from the cert store of exchange1 for instance, you can just copy it using the CCS Export task (which is just a file copy to the location you specify with the pfx file automatically named after the primary domain). The script can also give you the thumbprint to work with.

For general scripting info see here:

In the future we plan to have an API so you can just ask the main Certify server for the latest cert via a curl request or other http get command, then apply it how you like. We will probably also add a method for certify on one machine to simply fetch from the API on another machine. That way each instance could use it’s own deployment tasks.

Ok, this is what I came up with. Worked perfectly. :smiley:

> $SourceServer = "Exchange1"
> $DestinationServer = "Exchange2"
> $SearchDomain = ""
> $FilePath = "C:\Exchange.pfx"
> $EnableServices = "IIS,SMTP,IMAP, POP"
> #Add the Exchange snapin
> Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
> # Find out how many matching certificates we have - the first one is always the one Exchange is currently using
> $Count = (Get-ExchangeCertificate -Server $SourceServer -DomainName $SearchDomain).Thumbprint.Count
> # Throw error if nothing is returned, grab the thumbprint if only 1 is found, grab the first entry in the array if more than 1 is found
> Switch ($Count)
> {
>  0 { "ERROR: No certificate found!"; Break }
>  1 { $Thumbprint = (Get-ExchangeCertificate -Server $SourceServer -DomainName $SearchDomain).Thumbprint }
>  Default { $Thumbprint = (Get-ExchangeCertificate -Server $SourceServer -DomainName $SearchDomain).Thumbprint[0] }
> }
> Write-Host "Source Server: " $SourceServer
> Write-Host "Destination Server: " $DestinationServer
> Write-Host "Search Domain: " $SearchDomain
> Write-Host ""
> Write-Host "Thumbprint for active certificate on source server: " $Thumbprint
> # Export current certificate from source server
> # Export-ExchangeCertificate -Thumbprint $Thumbprint -Server $SourceServer -BinaryEncoded:$true -Password (ConvertTo-SecureString -String "Password1" -AsPlainText -Force) -Filename $FilePath
> # Import exported certificate into destination server
> # Import-ExchangeCertificate -Server $DestinationServer -Filename $FilePath -Password (ConvertTo-SecureString -String "Password1" -AsPlainText -Force)
> # Enable services on destination server
> Enable-ExchangeCertificate -Thumbprint $Thumbprint -Server $DestinationServer -Services $EnableServices -Force -ErrorAction Stop

I will probably add in the old certificate cleanup code, so I don’t end up with a zillion expired certificates being kept. :slight_smile:

1 Like

Great! Glad you got it working.