How to Use a Self Signed Certificate for Exchange 2013 2016 2019 and beyond when Security requirments require less then 2 year validity period.

I had an interesting one related to Exchange Internal Certificates. The Validity period is defauling to 4 years in newer Exchange versions. I am sure there may be a registry key to change the valiidity period of new-Exchangecertificate.  Of serveral ways to approach this, I opted to use a simple powershell command instead.

Below I express what I did, but also mention the other methods you may use to approach.

Before I move on – You may want to see the *** Disclaimer at the bottom. Basically Non of this is a ROOT CA cert, so its not really the best solution. This is fun and may work for some special requirments, but a ROOT CA request and response is the best certificate!

 

The problem

THis was a two fold problem. First, Exchange requires San names for the hostname and FQDN on internal certificate. In the past you could create a certificate from IIS as a personal certificate and it would work fine. This looks not to be the case any more. If you create a certificate like this, and then export it, Exchange will import the certificate, right into the Personal store. But suprise! You will not see it in the list of certificates.

The second issue is the cusotmer could not accept the default validity period. So i needed to make a 2 name self signed certificate, with a validity of less then 4 years.

Solution.

 New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "*.contoso.com, contoso.com, secure.login.contoso.com"

All you have to do is run the powershell and you get a SSL in your Personal Store. This illustration is courtesy of Microsoft.

You dont have to make a wildcard. It can be as easy as:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName ” Mymailservername, Mymailservername.mydomain.com”

 

Other Possibilities

Let me start with the Validity Period. No there is No Ca. I could have had him install one and make it default to 2 years. However too much work!

Second method I used back in the 2008 time frame. Im not sure how valid it is today. But the Basics of the Certificate request are still there.  Just open MMC Add Certificates to computer and See this article. You have to make sure to set all the variables. you have to set the Cipher, the Expiration date and a dozen different items, and then you will have to use trial and error to get it right.  To the good old days!

Registry or Policy.inf

If he were using a CA and we needed to change the validity period, I thought this was a novel Idea. just using a Policy.inf would be awsome

Finally, A registry edit is what i thought of immediately. But 2000 and 2003 artices are not to be trusted! Well Maybe i will check it one day!

Actually Create a cert with San Name, unique Validity and Control private and public key

The one that interested me most was based on my soluiton. This article from Windows OS Hub goes a little more into detail. If I had time, I might try using some of the syntax with New-ExchangeCertificate to see if it would work.

I am basically just listing out the example from the aritcle as I can never find the information when I really need it. See their article for much better experience.

*** Disclaimer.

While this is fun and awsome, you have to remember, your not dealing with a Certificate from a Certifiacte authority. So there is a little problem! The problem is that the cert is not implicitly trusted when you creaate it !! this means you have to do something unique. Once the certificate is created in the personal store, you copy it from the certificate snap in (certlm.msc) by right clicking copy. then go to the Root Certificate authority and click paste.  Now go back to the Local store and see it is now trueused by the local computer.

 

Basic Certificate

New-SelfSignedCertificate -DnsName host.mydomain.com -CertStoreLocation cert:\LocalMachine\My

Certificate with Subject Alternative Name or WildCard

New-SelfSignedCertificate -DnsName MyHostname,MyHostname.mydomain.com, -CertStoreLocation cert:\LocalMachine\My

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.mydomain.com

 

Certificate with unique validity, San Names and Seperate Private and Public key export.

$todaymy = Get-Date

$2years = $todaymy.AddYears(2)

New-SelfSignedCertificate -dnsname “test,test.mydomain.com” -notafter $2years -CertStoreLocation cert:\LocalMachine\My

  • go into certlm.msc and right click the properties of the cert- choose details and go to the bottom and write down Serialnumber. That will go in command below-
  • The password below is one you can make up- you will need to it to import it!

$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText

Export-PfxCertificate -Cert cert:\LocalMachine\My\YourSerialNumberhere -FilePath C:\test.pfx -Password $CertPassword

Export-Certificate -Cert Cert:\LocalMachine\My\ YourSerialNumberhere -FilePath C:\tstcert.cer

Signing Certificate

Signing certificate- This Windows OS hub is alright. They go into more detail here on how

to sign your Code with this signing Certificate

$cert = New-SelfSignedCertificate -Subject “My Code Signing Certificate” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My

or just New-SelfSignedCertificate -DnsName dev1.mydomain.com -Type CodeSigning

Set-AuthenticodeSignature -FilePath C:\PS\my_posh_script.ps1 -Certificate $cert

 

Last but not least i just wanted to re-share Bill Hamels post in the same article. He has it all down:

Bill Hammel says- I support enterprise level web-based applications Here’s what I use to create self-signed certificates on my virtual systems:

 

2 thoughts on “How to Use a Self Signed Certificate for Exchange 2013 2016 2019 and beyond when Security requirments require less then 2 year validity period.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s