Introduction
In part 1, we went through the required tasks to prepare for and install Exchange 2016 in an Exchange 2013 environment. We also looked at how to configure the Service Connection Point in AD which is used by clients to locate the Exchange server autodiscover URL in order to automatically configure itself. To go back and review part 1, click here.
In this post, we’ll cover how to install the correct SSL certificate on Exchange 2016 and then how to configure the virtual directories so that clients are directed to the correct URLs for each service.
To read other parts in this series, go to:
- Exchange 2013 to 2016 Migration (Part 1)
- Exchange 2013 to 2016 Migration (Part 3)
- Exchange 2013 to 2016 Migration (Part 4)
- Exchange 2013 to 2016 Migration (Part 5)
- Exchange 2013 to 2016 Migration (Part 6)
Install an SSL certificate on Exchange 2016
When Exchange is installed, a self-signed certificate is created which includes only the FQDN and hostname of the server. In our case, this is litex02.litwareinc.com and litex02 respectively. This certificate is untrusted by clients and it’s good practice to use a hostname for external connections rather than exposing our internal server name to the internet so we’ll need to add a new certificate issued by a CA which is trusted by the clients and which has the correct subject names.
There are a number of ways of migrating the CAS role between Exchange 2013 and Exchange 2016. In our case, we will do a switchover where we will change the A records that are in use for Exchange 2013 to resolve to Exchange 2016. This means that Exchange 2016 will use the same A records as Exchange 2013 did and so we can use the same certificate. This method was chosen as it’s similar to the Microsoft documented methods described to migrate from Exchange 2010 to 2013 or 2016. Other methods include using a different namespace for Exchange 2016 and using autodiscover to migrate clients over to Exchange 2016 or by sequentially replacing Exchange 2013 servers with Exchange 2016 servers in a load balanced array of CAS servers. These two methods won’t be covered in this post and we’ll stick to the simple A record change method.
Also note that the CAS migration is no longer a required step before moving mailboxes. This is because Exchange 2013 can proxy connections to Exchange 2016 servers. This means that you can simply install an Exchange 2016 server and then move mailboxes then complete the CAS migration later on in the migration. In this case, we’re doing what is familiar and will complete this task before moving mailboxes.
The current Exchange 2013 server in our lab uses mail.litwarienc.com for all client connections, internally and externally. Autodiscover.litwareinc.com is also in use. There’s no need to buy a new SSL certificate as we can use the same certificate that is on Exchange 2013 as it has the correct names and is trusted by our clients.
Follow the steps below to install an SSL certificate on Exchange 2016.
Identify the certificate in use on Exchange 2013
Our first step is to identify the certificate on our Exchange 2013 server that has the required names mail.litwareinc.com and autodiscover.litwareinc.com, has a valid expiry date and is in use for the IIS service. To do this, we run the command below from the Exchange Management Shell on an Exchange 2013 CAS server:
Get-ExchangeCertificate | fl Thumbprint,NotAfter,Issuer,CertificateDomains,Services
From the output, find the certificate thumbprint you require as you’ll need it in the next step. In our case, the certificate that is in use on Exchange 2013 has a thumbprint of C87C1CBA43733D177B2679BC825808C7BECC659B.
Export the certificate from Exchange 2013
The next step is to export the certificate from Exchange 2013 so we can copy it over to Exchange 2016. We’ll use the Export-ExchangeCertificate cmdlet to export both the public key and the private key for the certificate that we identified in the previous step. You need to set a password on the exported certificate as it contains the private key – in this example, the password is Password1. Run this command from the Exchange Management Shell on the same Exchange 2013 CAS server:
$password = ConvertTo-SecureString “Password1” -AsPlainText –Force
Export-ExchangeCertificate -Thumbprint C87C1CBA43733D177B2679BC825808C7BECC659B -FileName C:Exchange2013Cert.pfx -Password $password | Out-Null
You should now have a file called C:Exchange2013Cert.pfx on your Exchange 2013 CAS server.
Import the certificate onto Exchange 2016
In this step, we’ll import the Exchange 2013 certificate onto the Exchange 2016 CAS server. You need to do this for each CAS server if you have installed a load balanced array of CAS servers.
First, copy the Exchange2013Cert.pfx file to your Exchange 2016 server and store on the C drive.
Now, open the Exchange 2016 server Exchange Management Shell and run the below command to import the certificate into Exchange and assign the required services and press ‘n’ when asked if you would like to overwrite the existing default SMTP certificate:
$password = ConvertTo-SecureString “Password1” -AsPlainText –Force
Import-ExchangeCertificate -FileName C:Exchange2013Cert.pfx -PrivateKeyExportable $true –Password $password | Enable-ExchangeCertificate –Services POP,IMAP,IIS,SMTP –DoNotRequireSsl
Delete C:Exchange2013Cert.pfx from both the Exchange 2013 and 2016 CAS servers for security purposes.
Conclusion
In part 2, we have discussed and demonstrated how to select and install a certificate for use on our Exchange 2016 server. We’ve also briefly discussed how to migrate the CAS role between Exchange 2013 and 2016.
In part 3, we’ll configure the virtual directories on Exchange 2016 so that clients receive the correct autodiscover settings then we’ll switch over the A records to direct clients to use Exchange 2016 for the CAS services.