A long time ago I discovered the Exchange Certificate Assistant updated for the last time. The script uses POSH-ACME as a client to automatically request Let's Encrypt certificates, but there are problems with the script from time to time. Since there is now a much better version, which also supports Exchange Server (and other services), I will no longer develop the Exchange Certificate Assistant.
Here is a short article on how to request a certificate for Exchange Server via Let's Encrypt using WIN-ACME Client.
WIN-ACME offers direct integration for Exchange Server. PowerShell version 5 is required. The WIN-ACME client can be downloaded here:
The ZIP archive can then be unpacked into any folder:
All that is needed now are the names that are to be entered on the certificate. To determine the DNS names for the certificate, you can use the script from one of my previous posts:
The WIN-ACME client can then be started with the corresponding parameters. To configure the certificate for Exchange Server, the following command can be adapted with the corresponding DNS names:
|
1
|
wacs.exe --target manual --host outlook.frankysweb-lab.de,autodiscover.frankysweb-lab.de --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP,POP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" |
The easiest way is to copy the command into a CMD file and then adapt it there:
These were all the necessary adjustments, the CMD file can now be executed directly. Alternatively, the command from the CMD file can of course also be executed directly in the command line. When running the WIN-ACME client for the first time, two questions must be confirmed and an e-mail address entered:
Once WIN-ACME has finished running, the new certificate has been assigned to the Exchange services:
There is also a task that automatically renews the certificate.
So it's time to retire the Exchange Certificate Assistant and switch to the WIN-ACME Client. Many thanks to the team behind the WIN-ACME Client for their excellent work.
The Exchange Certificate Assistant was at least one of the first scripts that could request and automatically assign certificates for Exchange servers. :-)
I also recently published a detailed white paper on the subject of "Exchange Server and certificates", anyone who is still unsure about the topic of certificates will find the white paper a very good introduction.