I have just uploaded a new version of the Exchange Certificate Assistant. The old version still uses the Let's Encrypt protocol ACMEv1, which is no longer supported by Let's Encrypt.
The new version 3 of the Certificate Assistant now uses the PowerShell module Posh-ACMEto automatically request certificates for Exchange servers via Let's Encrypt. Posh-ACME is ACMEv2 compatible and therefore also able to request wildcard certificates from Let's Encrypt. However, the Certificate Assistant still does not use wildcard certificates, but SAN certificates, which are created using HTTP-01 Challenge be validated. The advantage of HTTP-01 is that the entire process for Exchange certificates can be automated and no adjustments to the DNS are required. Only a few settings need to be defined in the script itself, the rest then runs fully automatically.
The current Certificate Assistant version supports the following Exchange Server versions:
- Exchange 2010 (PowerShell 5 required, PowerShell 5 is not released for SBS Server)
- Exchange 2013
- Exchange 2016
- Exchange 2019
I have recorded a short video showing the Certificate Assistant in action on an Exchange 2019 server:
Exchange Certificates Assistant can be downloaded here:
The ZIP archive contains a script for each Exchange version. Here is a short guide on how to use it.
Instructions
The script contains a few basic settings that need to be configured first. The following three settings must be adjusted, the remaining settings are optional:
Required settings
Means $LetsEncryptMode is used to specify which Let's Encrypt system is used to request the certificates. "LE_Stage" is the test system with which the function of the script can be tested first. In "LE_Stage" mode, no valid certificates are requested and no Let's Encrypt limits apply. The "LE_Stage" mode is therefore ideal for testing, once a certificate has been successfully issued, the script can use the Let's Encrypt productive system to request valid certificates (LE_Prod).
$ContactMail ist für die Registrierung des Let’s Encrypt Kontos erforderlich. Hier muss eine gültige E-Mail Adresse angegeben werden. Das Let’s Encrypt Konto wird, wenn nötig, automatisch vom Script erstellt.
$PFXPassword legt das Passwort für das Zertifikat (PFX-Datei) fest. Das Passwort ist erforderlich, wenn das Zertifikat auch auf anderen Servern installiert werden soll.
Optional settings
$WriteConsoleLog controls the log output, a log file is always written in the Certificate Assistant directory, using $WriteConsoleLog only the output in the console can be switched off ($false), but not the log file.
$DetermineExchangeFQDNs and $CustomFQDNs gehören zusammen. In der Standardeinstellung versucht das Script automatisch die erforderlichen Hostnamen für das Zertifikat zu ermitteln ($DetermineExchangeFQDNs = $true). Wenn andere Hostnamen oder zusätzlichen DNS-Namen gewünscht oder erforderlich sind, kann $DetermineExchangeFQDNs auf den Wert $false gesetzt werden. In diesem Fall müssen dann alle DNS-Namen angegeben werden ($CustomFQDNs).
The settings from $SendMail should be self-explanatory. Certificate Assistant sends the log file by e-mail after a run.
Notes
Exchange Certificate Assistant is designed to run directly on an Exchange server. The Exchange server itself must be accessible from the Internet under the corresponding host name on port 80 (http) and port 443 (https). Otherwise the validation will fail and no certificate can be requested.
A public CA such as Let's Encrypt cannot issue certificates for "non-public" domains. This means that certificates with hostnames such as "server1.domain.local" cannot be requested. The Exchange Virtual Directories must therefore be configured for public host names. A corresponding configuration is described here:
- Exchange 2019: The basic configuration
- Exchange 2016: The basic configuration
- Exchange 2013: The basic configuration
If you have any problems or errors with this script, please contact the Forum can be used. In this case, please always attach the log file and ensure that no sensitive information is included in the log file (so please delete it accordingly).