{"id":1282,"date":"2021-07-01T16:39:43","date_gmt":"2021-07-01T14:39:43","guid":{"rendered":"https:\/\/www.web-workers.ch\/?p=1282"},"modified":"2023-05-15T17:27:42","modified_gmt":"2023-05-15T15:27:42","slug":"how-to-install-replace-a-ssl-tls-certificate-on-microsoft-exchange-server-2013-2016","status":"publish","type":"post","link":"https:\/\/www.web-workers.ch\/index.php\/2021\/07\/01\/how-to-install-replace-a-ssl-tls-certificate-on-microsoft-exchange-server-2013-2016\/","title":{"rendered":"How to install\/replace a SSL\/TLS certificate on Microsoft Exchange Server 2013\/2016"},"content":{"rendered":"\n

This tutorial describes how to install or replace a SSL\/TLS certificate on a on-premise Microsoft Exchange Server.<\/p>\n\n\n\n

Hint: All commands are executed via Exchange Management Shell.<\/p>\n\n\n\n

Get a list of all installed and availabe certificates<\/h5>\n\n\n\n

Display a detailed output of every certificate with the assigned services:<\/p>\n\n\n\n

\n
# Get-ExchangeCertificate -Server <YOURHOSTNAME> | FL\n\nAccessRules :\nCertificateDomains : {xxyy.com, *.xxyy.com, www.xxyy.com}\nHasPrivateKey : True\nIsSelfSigned : False\nIssuer : CN=QuoVadis Global SSL ICA G2, O=QuoVadis Limited, C=BM\nNotAfter : 02.07.2021 17:00:00\nNotBefore : 02.07.2019 16:50:12\nPublicKeySize : 2048\nRootCAType : ThirdParty\nSerialNumber : 15BF8523008F487ED306E74D663711798DDA6483\nServices : IMAP, POP, IIS, SMTP\nStatus : Valid\nSubject : CN=xxyy.com, O=XXYY AG, L=Some Location, S=Z\u00fcrich, C=CH\nThumbprint : DBC4C763AE0EDD013C6036EB8F2932C4C02622F0\n\nAccessRules :\nCertificateDomains : {}\nHasPrivateKey : True\nIsSelfSigned : True\nIssuer : CN=Microsoft Exchange Server Auth Certificate\nNotAfter : 16.05.2024 13:03:45\nNotBefore : 12.06.2019 13:03:45\nPublicKeySize : 2048\nRootCAType : None\nSerialNumber : 3FA3FB76DCECADB34D854E3B57E7B444\nServices : SMTP\nStatus : Valid\nSubject : CN=Microsoft Exchange Server Auth Certificate\nThumbprint : 55DD15F0888D72C190275AEA32AF6334FA1692D3\n\nAccessRules :\nCertificateDomains : {VM-Exchange1, VM-Exchange1.xxyy.com}\nHasPrivateKey : True\nIsSelfSigned : True\nIssuer : CN=VM-Exchange1\nNotAfter : 12.06.2024 13:01:20\nNotBefore : 12.06.2019 13:01:20\nPublicKeySize : 2048\nRootCAType : Registry\nSerialNumber : 2FE1D7B0A226B3BE45B8221489A3C9F1\nServices : IIS, SMTP\nStatus : Valid\nSubject : CN=VM-Exchange1\nThumbprint : C39ADE37DE1F1FC600BBC9355649C5F4CE4D91D2\n\nAccessRules :\nCertificateDomains : {WMSvc-SHA2-VM-EXCHANGE1}\nHasPrivateKey : True\nIsSelfSigned : True\nIssuer : CN=WMSvc-SHA2-VM-EXCHANGE1\nNotAfter : 09.06.2029 09:19:23\nNotBefore : 12.06.2019 09:19:23\nPublicKeySize : 2048\nRootCAType : Registry\nSerialNumber : 35E7AED21CBD6D8642C7F5464A6DC0CE\nServices : None\nStatus : Valid\nSubject : CN=WMSvc-SHA2-VM-EXCHANGE1\nThumbprint : AB582231D6EE0C8F2CE111F1C73D5BD5BDCDFD37<\/code><\/pre>\n<\/div>\n\n\n\n
Display a short list of certificates and output the thumbprint only:<\/p>\n\n\n\n
\n
# Get-ExchangeCertificate > C:\\temp\\ExchangeCertThumbPrint.txt<\/code><\/pre>\n<\/div>\n\n\n\n
Import a new certificate into the operating system certificate store<\/h4>\n\n\n\n
Hint: The certificate you want to import needs to be accessible by the user performing the action via a shared folder (UNC path required).<\/p>\n\n\n\n
\n
# Import-ExchangeCertificate -Server <YOURHOSTNAME> -FileName \"\\\\<YOURHOSTNAME>\\certs\\ExchangeCert.pfx\" -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String \"YourCertificatePassword\" -AsPlainText -Force)\nThumbprint Services Subject\n---------- -------- -------\n1027DC200E3142D5336C814FD22B0A0C0CF43E99 IP..... CN=*.xxyy.com, O=XXYY AG, L=Some Location, S=Z\u00fcrich, ...<\/code><\/pre>\n<\/div>\n\n\n\n
On Exchange Server 2019 use the following command:<\/p>\n\n\n\n
\n
# Import-ExchangeCertificate -Server <YOURHOSTNAME> -FileData ([System.IO.File]::ReadAllBytes('\\\\<YOURHOSTNAME>\\certs\\ExchangeCert.pfx'))<\/span><\/span> -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String \"YourCertificatePassword\" -AsPlainText -Force)<\/code><\/pre>\n<\/div>\n\n\n\n
Hint: Save the thumbprint of the new certificate somwhere you have it accessible, you will need the value during the next steps.<\/p>\n\n\n\n
Assign the new certificate to the services of Exchange<\/h4>\n\n\n\n
\n
# Enable-ExchangeCertificate -Thumbprint 1027DC200E3142D5336C814FD22B0A0C0CF43E99 -Services \"IIS,SMTP,POP,IMAP\"\n\nWARNING: This certificate with thumbprint 1027DC200E3142D5336C814FD22B0A0C0CF43E99 and subject '*.xxyy.com' cannot\nused for POP SSL\/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command\nSet-POPSettings to set X509CertificateName to the FQDN of the service.\n\nWARNING: This certificate with thumbprint 1027DC200E3142D5336C814FD22B0A0C0CF43E99 and subject '*.xxyy.com' cannot\nused for IMAP SSL\/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command\nSet-IMAPSettings to set X509CertificateName to the FQDN of the service.\n\nConfirm\nOverwrite the existing default SMTP certificate?\n\nCurrent certificate: 'DBC4C763AE0EDD013C6036EB8F2932C4C02622F0' (expires 02.07.2021 17:00:00)\nReplace it with certificate: '1027DC200E3142D5336C814FD22B0A0C0CF43E99' (expires 24.06.2022 15:23:00)\n\n[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is \"Y\"): A<\/code><\/pre>\n<\/div>\n\n\n\n
List and replace the certificate of the Send Connector and the Receive Connector<\/h4>\n\n\n\n
\n
# Get-SendConnector | list\n\nAddressSpaces : {SMTP:*;1}\nAuthenticationCredential : System.Management.Automation.PSCredential\nCloudServicesMailEnabled : False\nComment :\nConnectedDomains : {}\nConnectionInactivityTimeOut : 00:10:00\nConnectorType : Default\nDNSRoutingEnabled : False\nDomainSecureEnabled : False\nEnabled : True\nErrorPolicies : Default\nForceHELO : False\nFqdn :\nFrontendProxyEnabled : False\nHomeMTA : Microsoft MTA\nHomeMtaServerId : VM-EXCHANGE1\nIdentity : SmartHost Somehosting\nIgnoreSTARTTLS : False\nIsScopedConnector : False\nIsSmtpConnector : True\nMaxMessageSize : 35 MB (36,700,160 bytes)\nName : SmartHost Somehosting\nPort : 25\nProtocolLoggingLevel : None\nRegion : NotSpecified\nRequireOorg : False\nRequireTLS : False\nSmartHostAuthMechanism : BasicAuth\nSmartHosts : {relay.tux.somehosting-net.ch}\nSmartHostsString : relay.tux.somehosting-net.ch\nSmtpMaxMessagesPerConnection : 20\nSourceIPAddress : 0.0.0.0\nSourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)\nSourceTransportServers : {VM-EXCHANGE1}\nTlsAuthLevel :\nTlsCertificateName : <I>CN=QuoVadis Global SSL ICA G2, O=QuoVadis Limited, C=BM<S>CN=*.xxyy.com, O=XXYY AG, L=Some Location, S=Z\u00fcrich, C=CH\nTlsDomain :\nUseExternalDNSServersEnabled : True\n\n# $cert = Get-ExchangeCertificate -Thumbprint <Thumbprint of the new Exchange certificate>\n# $tlscertificate = (\u2018<I>\u2019+$cert.issuer+'<S>\u2019+$cert.subject)\n# Set-SendConnector -Identity \"SmartHost Somehosting\" -TLSCertificateName $tlscertificate\n\n# Get-ReceiveConnector\n\nIdentity Bindings Enabled\n-------- -------- -------\nVM-EXCHANGE1\\Default VM-EXCHANGE1 {0.0.0.0:2525, [::]:2525} True\nVM-EXCHANGE1\\Client Proxy VM-EXCHANGE1 {[::]:465, 0.0.0.0:465} True\nVM-EXCHANGE1\\Default Frontend VM-EXCHANGE1 25 {[::]:25, 0.0.0.0:25} True\nVM-EXCHANGE1\\Outbound Proxy Frontend VM-EXCHANGE1 {[::]:717, 0.0.0.0:717} True\nVM-EXCHANGE1\\Client Frontend VM-EXCHANGE1 {[::]:587, 0.0.0.0:587} True\n\n# Set-ReceiveConnector \"VM-Exchange1\\Default Frontend VM-EXCHANGE1 25\" -TlsCertificateName $tlscertificate\n# Set-ReceiveConnector \"VM-Exchange1\\Outbound Proxy Frontend VM-EXCHANGE1\" -TlsCertificateName $tlscertificate\n# Set-ReceiveConnector \"VM-Exchange1\\Client Frontend VM-EXCHANGE1\" -TlsCertificateName $tlscertificate<\/code><\/pre>\n<\/div>\n\n\n\n
Restart required services<\/h4>\n\n\n\n
\n
# net stop \"Microsoft Exchange Frontend Transport\"\n# net stop \"Microsoft Exchange Transport\"\n# net stop \"Microsoft Exchange Mailbox Transport Delivery\"\n# net stop \"Microsoft Exchange Mailbox Transport Submission\"\n\n# net start \"Microsoft Exchange Frontend Transport\"\n# net start \"Microsoft Exchange Transport\"\n# net start \"Microsoft Exchange Mailbox Transport Delivery\"\n# net start \"Microsoft Exchange Mailbox Transport Submission\"<\/code><\/pre>\n<\/div>\n\n\n\n
In case you have POP\/IMAP enabled:<\/p>\n\n\n\n
\n
# net stop Microsoft Exchange IMAP4\n# net stop Microsoft Exchange IMAP4 Backend\n# net stop Microsoft Exchange POP3\n# net stop Microsoft Exchange POP3 Backend\n\n# net start Microsoft Exchange IMAP4\n# net start Microsoft Exchange IMAP4 Backend\n# net start Microsoft Exchange POP3\n# net start Microsoft Exchange POP3 Backend<\/code><\/pre>\n<\/div>\n\n\n\n
Restart IIS in any case<\/p>\n\n\n\n
\n
# iisreset<\/code><\/pre>\n<\/div>\n\n\n\n
Verify the certificates on your services locally<\/h4>\n\n\n\n
Verify if all certificates for all send- and receive connectors has been replaced correctly.<\/p>\n\n\n\n
\n
# Get-ReceiveConnector | Select Identity,TLSCertificateName | Out-GridView
\n# Get-SendConnector | Select Identity,TLSCertificateName | Out-GridView<\/code><\/pre>\n<\/div>\n\n\n\n
Verify the certificates on your services remotely<\/h4>\n\n\n\n
Install OpenSSL on a machine of your choice, if you are running Windows have a look at this website<\/a>.<\/p>\n\n\n\n
Hint: The following command are executed via “OpenSSL Command Prompt”.<\/p>\n\n\n\n
SMTP service<\/h6>\n\n\n\n
Verify the correct SSL\/TLS certificate has been enabled on your SMTP service on TCP Port 25 or 587.<\/p>\n\n\n\n
\n
# openssl s_client -starttls smtp -showcerts -connect mail.xxyy.com:25 -servername mail.xxyy.com\nCONNECTED(000000EC)\ndepth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\nverify error:num=20:unable to get local issuer certificate\nverify return:1\ndepth=0 C = CH, ST = Z\\C3\\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com\nverify return:1\n---\nCertificate chain\n0 s:C = CH, ST = Z\\C3\\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com\ni:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\n-----BEGIN CERTIFICATE-----\nMIIG8zCCBdugAwIBAgIUVu5f7vSfCRIhAb2J8Hc6AqllCxUwDQYJKoZIhvcNAQEL\nBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh\nBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTIxMDYyNDEzMTMy\nMVoXDTIyMDYyNDEzMjMwMFowaDELMAkGA1UEBhMCQ0gxEDAOBgNVBAgMB1rDvHJp\nY2gxEjAQBgNVBAcMCVN0ZWlubWF1cjEbMBkGA1UECgwSVm9uZXNjbyBDb250cm9s\nIEFHMRYwFAYDVQQDDA0qLnZvbmVzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEA0SnOxpZ3cDgkZ4X2AYywbtV8jjivua09BK2hmubNtVCBTILg\n7AI8ifYEyNjjWo2AHWspr77IWUzcOo2NASSDwso8zT3ThVMZx14C6p0oMoyfTVzE\n3yt41MYp2KbPTSb3KsvpzVWNTIraJ54AllaZvMy1Ev0K7FHgqadPTc+dhC57bBtA\nmNqy7JSFTNlqLW0wXrv5lMn3eBjJA6ffykPwQjUBeDu0HHiPSdPUng2YPIuSJJTM\nQwSk2LrrV+6IR+EJ3p1pyeJMntgp7v328VjAQSQ+4gOgRG4jmgoKXYbPupzZScIK\nHPyxt1Pl3DoPq9xPSm6tKaTiG7TDA2fOeKF9FQIDAQABo4IDrjCCA6owCQYDVR0T\nBAIwADAfBgNVHSMEGDAWgBSRGWKtWxenMPvw3jklsb2MubhRJzBzBggrBgEFBQcB\nAQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5j\nb20vcXZzc2xnMi5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlz\nZ2xvYmFsLmNvbTAlBgNVHREEHjAcgg0qLnZvbmVzY28uY29tggt2b25lc2NvLmNv\nbTBbBgNVHSAEVDBSMEYGDCsGAQQBvlgAAmQBATA2MDQGCCsGAQUFBwIBFihodHRw\nOi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MAgGBmeBDAECAjAd\nBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwOgYDVR0fBDMwMTAvoC2gK4Yp\naHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcmwwHQYDVR0O\nBBYEFDHDJGfAKTQjs7\/CdROVyLTZPyNYMA4GA1UdDwEB\/wQEAwIFoDCCAfcGCisG\nAQQB1nkCBAIEggHnBIIB4wHhAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jw\nkGKWBvYAAAF6PjB2EwAABAMARzBFAiEAtXFmojr9NUNi289Yn29hUB+snYrC749T\n2Gn64mlgRxQCIHvfKPEnADZovX3VMtsOdo+FfzB2PQwDe5Hf\/SlZ5gSeAHUAKXm+\n8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF6PjB16gAABAMARjBEAiAg\nbbEyktE82841yaCzDGFfYs4guqWG3bwFlTRyoQTLUwIgP4UKMiEbZ6GHaScF+z0m\nZq8tqCTmW13VpwXGVjLJQewAdwBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6od\nBxPTDAAAAXo+MHYTAAAEAwBIMEYCIQCaVquPf+jWltFVuezGdQgYGV1TyS3xsEGu\n1gqk5nQ0EgIhAKRHmZ+o6pGTlWxZeQxu0HO\/sE6FHRcWQ8ZHGYQ2co66AHcARqVV\n63X6kSAwtaKJafTzfREsQXS+\/Um4havy\/HD+bUcAAAF6PjB2BwAABAMASDBGAiEA\nmDpCTm7RXQfDOoETj326\/BG2BUeJXDDsBf4Rr8mH+SYCIQDEx8IM1clNa4s11UeH\nac0z90ycdBe9YDXv71EoFIMMtDANBgkqhkiG9w0BAQsFAAOCAQEAnvt3BIuj1T0D\n3YPZs\/VyPr6OGEleH7hdVI50nYEewAWOLlG7PuuO2kY+tJ\/+c3jpu4+3KCjG4dpY\n+R6asMio00KdIgcSSnFCmpO0n1sOaqI4xjmdZ1uBHmgMDTDaHyEi1sq\/hYNPlvbq\ngC4Xe7VRmZicG20V7Q\/FD\/xqX3AZxaugGTnOXhXakDKlOP8ZF+w1nN0P4QN7sr5h\n+egbvVb0MzMkkhLERxiB9NF9xTFaWartIZLWqt\/q\/StCPhMPrmhH1GX8cDA\/3+r3\nYSW+qRAozfeAOvRag3T6Hnez9YRGcqMCRbYvzvB4dR8AQFFK\/i5o7j7CZeQIJotn\n-----END CERTIFICATE-----\n1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\ni:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2\n-----BEGIN CERTIFICATE-----\nMIIFpDCCA4ygAwIBAgIUGm7ok8N0lzjhKszHeowKyxZ+rxQwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ\nBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0yMDA5MjIxOTE1NTlaFw0yMzA2\nMDExMzM1MDVaME0xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p\ndGVkMSMwIQYDVQQDExpRdW9WYWRpcyBHbG9iYWwgU1NMIElDQSBHMjCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHhhWmUwI9X+jT+wbho5JmQqYh6zle3\n0OS1VMIYfdDDGeipY4D3t9zSGaNasGDZdrQdMlY18WyjnEKhi4ojNZdBewVphCiO\nzh5Ni2Ak8bSI\/sBQ9sKPrpd0+UCqbvaGs6Tpx190ZRT0Pdy+TqOYZF\/jBmzBj7Yf\nXJmWxlfCy62UiQ6tvv+4C6W2OPu1R4HUD8oJ8Qo7Eg0cD+GFsBM2w8soffyl+Dc6\npKtARmOClUC7EqyWP0V9953lA34kuJZlYxxdgghBTn9rWoaQw\/Lr5Fn0Xgd7fYS3\n\/zGhmXYvVsuAxIn8Gk+YaeoLZ8H9tUvnDD3lEHzvIsMPxqtd7IgcVaMCAwEAAaOC\nAYIwggF+MBIGA1UdEwEB\/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUGoRivEhMMyUE\n1O7Q9gPEGUbRlGswcgYIKwYBBQUHAQEEZjBkMDYGCCsGAQUFBzAChipodHRwOi8v\ndHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhMi5jcnQwKgYIKwYBBQUHMAGG\nHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTBKBgNVHSAEQzBBMD8GBFUd\nIAAwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29t\nL3JlcG9zaXRvcnkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDkGA1Ud\nHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNh\nMi5jcmwwHQYDVR0OBBYEFJEZYq1bF6cw+\/DeOSWxvYy5uFEnMA4GA1UdDwEB\/wQE\nAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAWNELUhzNSHcK+M1HkEDA4ty\/O9VC3idO\nyrAEm72NKE+iLJ6cjN3ofG2+xFDBR+yExpg+WT\/fn\/H1mCTQdCkrsDIFe\/rqTv9P\nB1PSRoH\/MnsWdN9uutlgfBXL3EdrdjyJH0s8Fpbbm5JXSnsfl35NO+0Hppe6gBIZ\n8njcVIMg7j84f7b8iYm0YuBTW7gPvKfs0wRVRguyH++9g+UDQI6e55aqIF6bKBqB\n3WhWnvx2F6hSZhhmJLhHJNtvKjbyjUqO4EI+TJCnM1nnNffVO4PI1BuIc4yPSSSA\nHZ9nvKJ4rTfWB8edjON1OLSFM5MBEnZD7Gni79McDlBP\/SlnFwOfq2xhmlinaLXe\n0QLipUkq5EH4QnUdz6ShtQfSd8QauTtLZdUNRwsuu6z5sQGmJdSjTzF5Wn1Y4\/Xp\nCwf63gWQDqj7kXC0VI46TjcrdzQXp3IscYAmBF7mALa0wLuBKy8ZB4wMlRMAY7j8\nKSsyg1Sz1rWbq+eap\/IATpQoiymHKgwvP8ERSJX6XWFwWvAQjIv+aZu4yh+h+h1O\njVY\/VXH\/M\/lvwf7crVy4n0G+dGROcHQO8sN+MF8\/JLXZDQGR7spYYG19Mw849kcb\nYcaWEd57LH1jGhuY+IdemBUALfw6V8VIvJfLWGBG+35DjkBiin9kKcTT9ySYu9Pz\n-----END CERTIFICATE-----\n---\nServer certificate\nsubject=C = CH, ST = Z\\C3\\BCrich, L = Some Location, O = XXYYl AG, CN = *.xxyy.com\nissuer=C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\n---\nNo client certificate CA names sent\nPeer signing digest: SHA256\nPeer signature type: RSA\nServer Temp Key: ECDH, P-256, 256 bits\n---\nSSL handshake has read 4100 bytes and written 477 bytes\nVerification error: unable to get local issuer certificate\n---\nNew, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256\nServer public key is 2048 bit\nSecure Renegotiation IS supported\nCompression: NONE\nExpansion: NONE\nNo ALPN negotiated\nSSL-Session:\nProtocol : TLSv1.2\nCipher : ECDHE-RSA-AES128-GCM-SHA256\nSession-ID: 0B350000FAD6E629970622934B737056D49C44F3CCABCC58E8AA6A5CC26FCD27\nSession-ID-ctx:\nMaster-Key: 8159B578686649D62C61D7FA14FAF6432E654C784414FC19B90CE858C1A682FA\n3FD0555028EB68E051835427D4837B1B\nPSK identity: None\nPSK identity hint: None\nSRP username: None\nStart Time: 1625123903\nTimeout : 7200 (sec)\nVerify return code: 20 (unable to get local issuer certificate)\nExtended master secret: yes\n---\n250 XRDST<\/code><\/pre>\n<\/div>\n\n\n\n
HTTPS service<\/h6>\n\n\n\n
Verify the correct SSL\/TLS certificate has been enabled on your HTTPS service on TCP Port 443.<\/p>\n\n\n\n
\n
# openssl s_client -showcerts -connect mail.xxyy.com:https\nCONNECTED(00000150)\ndepth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\nverify error:num=20:unable to get local issuer certificate\nverify return:1\ndepth=0 C = CH, ST = Z\\C3\\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com\nverify return:1\n---\nCertificate chain\n0 s:C = CH, ST = Z\\C3\\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com\ni:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\n-----BEGIN CERTIFICATE-----\nMIIG8zCCBdugAwIBAgIUVu5f7vSfCRIhAb2J8Hc6AqllCxUwDQYJKoZIhvcNAQEL\nBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh\nBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTIxMDYyNDEzMTMy\nMVoXDTIyMDYyNDEzMjMwMFowaDELMAkGA1UEBhMCQ0gxEDAOBgNVBAgMB1rDvHJp\nY2gxEjAQBgNVBAcMCVN0ZWlubWF1cjEbMBkGA1UECgwSVm9uZXNjbyBDb250cm9s\nIEFHMRYwFAYDVQQDDA0qLnZvbmVzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEA0SnOxpZ3cDgkZ4X2AYywbtV8jjivua09BK2hmubNtVCBTILg\n7AI8ifYEyNjjWo2AHWspr77IWUzcOo2NASSDwso8zT3ThVMZx14C6p0oMoyfTVzE\n3yt41MYp2KbPTSb3KsvpzVWNTIraJ54AllaZvMy1Ev0K7FHgqadPTc+dhC57bBtA\nmNqy7JSFTNlqLW0wXrv5lMn3eBjJA6ffykPwQjUBeDu0HHiPSdPUng2YPIuSJJTM\nQwSk2LrrV+6IR+EJ3p1pyeJMntgp7v328VjAQSQ+4gOgRG4jmgoKXYbPupzZScIK\nHPyxt1Pl3DoPq9xPSm6tKaTiG7TDA2fOeKF9FQIDAQABo4IDrjCCA6owCQYDVR0T\nBAIwADAfBgNVHSMEGDAWgBSRGWKtWxenMPvw3jklsb2MubhRJzBzBggrBgEFBQcB\nAQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5j\nb20vcXZzc2xnMi5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlz\nZ2xvYmFsLmNvbTAlBgNVHREEHjAcgg0qLnZvbmVzY28uY29tggt2b25lc2NvLmNv\nbTBbBgNVHSAEVDBSMEYGDCsGAQQBvlgAAmQBATA2MDQGCCsGAQUFBwIBFihodHRw\nOi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MAgGBmeBDAECAjAd\nBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwOgYDVR0fBDMwMTAvoC2gK4Yp\naHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcmwwHQYDVR0O\nBBYEFDHDJGfAKTQjs7\/CdROVyLTZPyNYMA4GA1UdDwEB\/wQEAwIFoDCCAfcGCisG\nAQQB1nkCBAIEggHnBIIB4wHhAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jw\nkGKWBvYAAAF6PjB2EwAABAMARzBFAiEAtXFmojr9NUNi289Yn29hUB+snYrC749T\n2Gn64mlgRxQCIHvfKPEnADZovX3VMtsOdo+FfzB2PQwDe5Hf\/SlZ5gSeAHUAKXm+\n8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF6PjB16gAABAMARjBEAiAg\nbbEyktE82841yaCzDGFfYs4guqWG3bwFlTRyoQTLUwIgP4UKMiEbZ6GHaScF+z0m\nZq8tqCTmW13VpwXGVjLJQewAdwBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6od\nBxPTDAAAAXo+MHYTAAAEAwBIMEYCIQCaVquPf+jWltFVuezGdQgYGV1TyS3xsEGu\n1gqk5nQ0EgIhAKRHmZ+o6pGTlWxZeQxu0HO\/sE6FHRcWQ8ZHGYQ2co66AHcARqVV\n63X6kSAwtaKJafTzfREsQXS+\/Um4havy\/HD+bUcAAAF6PjB2BwAABAMASDBGAiEA\nmDpCTm7RXQfDOoETj326\/BG2BUeJXDDsBf4Rr8mH+SYCIQDEx8IM1clNa4s11UeH\nac0z90ycdBe9YDXv71EoFIMMtDANBgkqhkiG9w0BAQsFAAOCAQEAnvt3BIuj1T0D\n3YPZs\/VyPr6OGEleH7hdVI50nYEewAWOLlG7PuuO2kY+tJ\/+c3jpu4+3KCjG4dpY\n+R6asMio00KdIgcSSnFCmpO0n1sOaqI4xjmdZ1uBHmgMDTDaHyEi1sq\/hYNPlvbq\ngC4Xe7VRmZicG20V7Q\/FD\/xqX3AZxaugGTnOXhXakDKlOP8ZF+w1nN0P4QN7sr5h\n+egbvVb0MzMkkhLERxiB9NF9xTFaWartIZLWqt\/q\/StCPhMPrmhH1GX8cDA\/3+r3\nYSW+qRAozfeAOvRag3T6Hnez9YRGcqMCRbYvzvB4dR8AQFFK\/i5o7j7CZeQIJotn\n-----END CERTIFICATE-----\n1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\ni:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2\n-----BEGIN CERTIFICATE-----\nMIIFpDCCA4ygAwIBAgIUGm7ok8N0lzjhKszHeowKyxZ+rxQwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ\nBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0yMDA5MjIxOTE1NTlaFw0yMzA2\nMDExMzM1MDVaME0xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p\ndGVkMSMwIQYDVQQDExpRdW9WYWRpcyBHbG9iYWwgU1NMIElDQSBHMjCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHhhWmUwI9X+jT+wbho5JmQqYh6zle3\n0OS1VMIYfdDDGeipY4D3t9zSGaNasGDZdrQdMlY18WyjnEKhi4ojNZdBewVphCiO\nzh5Ni2Ak8bSI\/sBQ9sKPrpd0+UCqbvaGs6Tpx190ZRT0Pdy+TqOYZF\/jBmzBj7Yf\nXJmWxlfCy62UiQ6tvv+4C6W2OPu1R4HUD8oJ8Qo7Eg0cD+GFsBM2w8soffyl+Dc6\npKtARmOClUC7EqyWP0V9953lA34kuJZlYxxdgghBTn9rWoaQw\/Lr5Fn0Xgd7fYS3\n\/zGhmXYvVsuAxIn8Gk+YaeoLZ8H9tUvnDD3lEHzvIsMPxqtd7IgcVaMCAwEAAaOC\nAYIwggF+MBIGA1UdEwEB\/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUGoRivEhMMyUE\n1O7Q9gPEGUbRlGswcgYIKwYBBQUHAQEEZjBkMDYGCCsGAQUFBzAChipodHRwOi8v\ndHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhMi5jcnQwKgYIKwYBBQUHMAGG\nHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTBKBgNVHSAEQzBBMD8GBFUd\nIAAwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29t\nL3JlcG9zaXRvcnkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDkGA1Ud\nHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNh\nMi5jcmwwHQYDVR0OBBYEFJEZYq1bF6cw+\/DeOSWxvYy5uFEnMA4GA1UdDwEB\/wQE\nAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAWNELUhzNSHcK+M1HkEDA4ty\/O9VC3idO\nyrAEm72NKE+iLJ6cjN3ofG2+xFDBR+yExpg+WT\/fn\/H1mCTQdCkrsDIFe\/rqTv9P\nB1PSRoH\/MnsWdN9uutlgfBXL3EdrdjyJH0s8Fpbbm5JXSnsfl35NO+0Hppe6gBIZ\n8njcVIMg7j84f7b8iYm0YuBTW7gPvKfs0wRVRguyH++9g+UDQI6e55aqIF6bKBqB\n3WhWnvx2F6hSZhhmJLhHJNtvKjbyjUqO4EI+TJCnM1nnNffVO4PI1BuIc4yPSSSA\nHZ9nvKJ4rTfWB8edjON1OLSFM5MBEnZD7Gni79McDlBP\/SlnFwOfq2xhmlinaLXe\n0QLipUkq5EH4QnUdz6ShtQfSd8QauTtLZdUNRwsuu6z5sQGmJdSjTzF5Wn1Y4\/Xp\nCwf63gWQDqj7kXC0VI46TjcrdzQXp3IscYAmBF7mALa0wLuBKy8ZB4wMlRMAY7j8\nKSsyg1Sz1rWbq+eap\/IATpQoiymHKgwvP8ERSJX6XWFwWvAQjIv+aZu4yh+h+h1O\njVY\/VXH\/M\/lvwf7crVy4n0G+dGROcHQO8sN+MF8\/JLXZDQGR7spYYG19Mw849kcb\nYcaWEd57LH1jGhuY+IdemBUALfw6V8VIvJfLWGBG+35DjkBiin9kKcTT9ySYu9Pz\n-----END CERTIFICATE-----\n---\nServer certificate\nsubject=C = CH, ST = Z\\C3\\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com\nissuer=C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2\n---\nNo client certificate CA names sent\nPeer signing digest: SHA256\nPeer signature type: RSA\nServer Temp Key: ECDH, P-256, 256 bits\n---\nSSL handshake has read 3722 bytes and written 444 bytes\nVerification error: unable to get local issuer certificate\n---\nNew, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256\nServer public key is 2048 bit\nSecure Renegotiation IS supported\nCompression: NONE\nExpansion: NONE\nNo ALPN negotiated\nSSL-Session:\nProtocol : TLSv1.2\nCipher : ECDHE-RSA-AES128-GCM-SHA256\nSession-ID: E10A0000910489F61D90958185B808B796ABFC1D2AB3381E117621ADC83A5824\nSession-ID-ctx:\nMaster-Key: 5ECD152DB1A02AF869DF7AE62440946EF7B136EAD4CA1EC54F9DDC2EBB8610FF\n96A901F01CA46D90112B0A6BA60225F7\nPSK identity: None\nPSK identity hint: None\nSRP username: None\nStart Time: 1625124467\nTimeout : 7200 (sec)\nVerify return code: 20 (unable to get local issuer certificate)\nExtended master secret: yes\n---<\/code><\/pre>\n<\/div>\n\n\n\n
Additional services<\/h6>\n\n\n\n
Find below additional openssl commands to verify additional services<\/p>\n\n\n\n
SMTP via SSL using port 465:<\/p>\n\n\n\n
\n
# openssl s_client -showcerts -connect mail.example.com:465 -servername mail.example.com<\/code><\/pre>\n<\/div>\n\n\n\n
POP3 via SSL using port 995<\/p>\n\n\n\n
\n
# openssl s_client -showcerts -connect mail.example.com:995 -servername mail.example.com<\/code><\/pre>\n<\/div>\n\n\n\n
IMAP via SSL using port 993<\/p>\n\n\n\n
\n
# openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com<\/code><\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
This tutorial describes how to install or replace a SSL\/TLS certificate on a on-premise Microsoft Exchange Server. Hint: All commands are executed via Exchange Management Shell. Get a list of […]<\/p>\n","protected":false},"author":1,"featured_media":1290,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[138,3],"tags":[140,139,9,122,141,28],"class_list":["post-1282","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exchange-server","category-mswin","tag-certificate","tag-exchange","tag-microsoft","tag-ssl","tag-tls","tag-windows"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.web-workers.ch\/wp-content\/uploads\/2021\/07\/post-exchange-20161.jpg?fit=710%2C315&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8sxjX-kG","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/comments?post=1282"}],"version-history":[{"count":11,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1282\/revisions"}],"predecessor-version":[{"id":1755,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1282\/revisions\/1755"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/media\/1290"}],"wp:attachment":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/media?parent=1282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/categories?post=1282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/tags?post=1282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}