Microsoft Exchange and Active Directory Blog
A long time ago I updated the Exchange Certificate Assistant for the last time. The script uses POSH-ACME as a client to automatically request Let's Encrypt certificates, but there are problems with the script from time to time. However, since there is now a much better version that also supports Exchange Server (and other services), I will ... Read more
Originally I had given up the plan to write another white paper on the subject of "Exchange and certificates". However, there still seem to be very frequent problems with the configuration of certificates in connection with Exchange servers. There are already a few articles and scripts here, so now a comprehensive whitepaper on the subject will follow ... Read more
In January of this year, I reported on free S/MIME certificates from WISeID. Unfortunately, I have since discovered that newly requested certificates from this CA are no longer considered trustworthy. I noticed this when I requested a new 1-year certificate from WISeID. The CA still issues the certificates, but ... Read more
I have already reported several times about the possibility of obtaining free S/MIME certificates for signing and encrypting emails. There are now only a few providers that still offer free certificates. Some of the providers mentioned in the previous articles either do not issue certificates at all or only issue certificates with a 90-day validity period. All 90 ... Read more
I have just uploaded a new version of the Exchange Certificate Assistant. The old version still uses the Let's Encrypt protocol ACMEv1, which is no longer supported by Let's Encrypt. The new version 3 of the Certificate Assistant now uses the PowerShell module Posh-ACME to automatically request certificates for Exchange Server via Let's Encrypt. Posh-ACME is ACMEv2 ... Read more
In this article, I already described how the Sophos UTM certificate can be exported via REST API. A few people have now reported that an automatic export and import for Exchange Server is interesting. I have therefore extended the script and successfully tested the export and import with Exchange Server 2016. ... Read more
Sophos UTM can now automatically request and renew certificates from Let's Encrypt. This function is particularly useful for web server protection (WAF). The certificate for the various WAF services is thus managed by the UTM and renewed accordingly before it expires. I have already received several requests from people who would like to use the ... Read more
In my last article about a free S/MIME certificate for signing and encrypting emails, I made a stupid mistake. In the last article, I recommended the CA DGNCert, which offers free S/MIME certificates, but the CA itself is not stored as a "Trusted Root Certification Authority" in Windows. So as long as the root certificate is not manually ... Read more
Update 25.02.2019: There is a new article here, as this article is no longer valid. Update 29.01.2019: See note/update at the end of the article. DGNcert is not stored as a trusted certification authority in Windows as I claimed. Therefore, please read the update at the end of the article first and then the comments. So far, Comodo has been a reliable ... Read more
MTA-STS (Mail Transfer Agent-Strict Transport Security, STS for short) is a fairly new tool for making sending and receiving mail more secure. MTA-STS has now been adopted as RFC-8461 and can therefore be used. Similar to DANE, information is stored in the DNS for STS. The big difference, however, is that STS does not require DNSSEC ... Read more
