Powershell script to renew certificate on remote exchange servers

Hello. Has anyone been able to do this successfully?

Here is a copy of my script which used to work with a previous version but stopped working with the latest update:

# This is an example script and it will be overwritten when the next update is installed. 
# To use this script copy it to another location and modify as required

# This script enables the use of the newly retrieved and stored certificate with common Exchange services
# For more script info see https://docs.certifytheweb.com/docs/script-hooks.html


#copy to share
Copy-Item -Path $result.ManagedItem.CertificatePath -Destination \\domain.com\folder\exchange-cert.pfx -Verbose -Force

$password = ConvertTo-SecureString "Password" -AsPlainText -Force
$UserCredential = New-Object System.Management.Automation.PSCredential ("domain\Administrator", $password)

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://srvexch01.domain.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session -DisableNameChecking

Import-ExchangeCertificate -server srvexch01 -FileData ([Byte[]]$(Get-Content -Path \\domain.com\share\exchange-cert.pfx -Encoding byte -ReadCount 0))

Enable-ExchangeCertificate -ThumbPrint $result.ManagedItem.CertificateThumbprintHash –Services IIS,SMTP,IMAP,POP -Force


Remove-PSSession -computername srvexch01.domain.com

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://srvexch02.domain.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session -DisableNameChecking

Import-ExchangeCertificate -server SRVEXCH02 -FileData ([Byte[]]$(Get-Content -Path \\domain.com\share\exchange-cert.pfx -Encoding byte -ReadCount 0))

Enable-ExchangeCertificate -ThumbPrint $result.ManagedItem.CertificateThumbprintHash –Services IIS,SMTP,IMAP,POP -Force


Remove-PSSession -computername srvexch02.domain.com

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://srvexch03.domain.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session -DisableNameChecking

Import-ExchangeCertificate -server srvexch03 -FileData ([Byte[]]$(Get-Content -Path \\domain.com\share\exchange-cert.pfx -Encoding byte -ReadCount 0))

Enable-ExchangeCertificate -ThumbPrint $result.ManagedItem.CertificateThumbprintHash –Services IIS,SMTP,IMAP,POP -Force


Remove-PSSession -computername srvexch03.domain.com

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://srvexch04.domain.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session -DisableNameChecking

Import-ExchangeCertificate -server srvexch04 -FileData ([Byte[]]$(Get-Content -Path \\domain.com\share\exchange-cert.pfx -Encoding byte -ReadCount 0))

Enable-ExchangeCertificate -ThumbPrint $result.ManagedItem.CertificateThumbprintHash –Services IIS,SMTP,IMAP,POP -Force


Remove-PSSession -computername srvexch04.domain.com

Remove-Item -Path \\domain.com\share\exchange-cert.pfx -Verbose -Force

Were you previously running the Certify background service under a user other than Local System?

By default the background service runs as Local System, this means it doesn’t have any permission for network access (such as file copying or remote scripting). This is the only supported configuration.

To get your script to you should be able to edit the Deployment Task (Scripting moved to Deployment > Deployment Tasks in the most recent version and will be moving to it’s own Tasks tab in the next release). The deployment task has parameters for things like saved network credentials.

Assuming you have a working certificate, try a simpler script that just copies the file to see if that works for you (you could alternatively try the CCS Export script which basically does the same thing). As an aside you could also investigate using the Central Certificate Store method of sourcing your certificate for Exchange.

On another thread a user had trouble getting export to work to another machine on their domain and this was fixed by changing our LogonType that we use when impersonating network users. Perhaps you could try the same fix? Export certificate to network/UNC path failed

As an aside, please don’t cross-post your issue in several places, this just bumps conversation threads and doesn’t result in more assistance being offered.

You should add some logging to your script, e.g. write output of commands to a text file. This will help troubleshooting…

For remote PS access you need to have add the remote servers to the trustedhosts setting. Check if the remote serves are listed here, or a * for any remote server:
Get-Item WSMan:\localhost\Client\TrustedHosts

I use the following for authentication type for a new PS session, gave me less problems :slight_smile: :
-Authentication Negotiate

Check the WinRM config on the remote Exchange servers…

Did you ran any other updates when installing the new Certify? Updated .NET? Might be security related?

1 Like

I’m preparing an update that uses a different authentication setting for powershell scripting, so that will be available to test soon and might help in this case.

Hi, please check out v5.1 for proposed fixes to script/powershell/network authentication tasks:

I hadn’t implemented LE certificates for mail yet, untill yesterday. Found out I needed to enable CredSSP to remotely assign certificates to services.

It also possible you need to create and assign a admin role to the remote user within exchange, with Exchange Server Certificates role added.

1 Like

I was actually able to get it to work by changing:
-FileData ([Byte[]]$(Get-Content -Path \domain.com\share\exchange-cert.pfx -Encoding byte -ReadCount 0))
to use certificate hash.

My main problem is, IIS certificate doesnt update for exchange backend on every server. Is there a way to automate this process?

I don’t know much about running multiple exchange servers myself but for IIS you should look into using Central Certificate Store - there is a CCS deployment task for this. That way the latest cert is picked up by interested servers by using a shared UNC path, or deployment to multiple paths.