How Do I Manage a UCC Certificate on Exchange 2007?

How to Generate a UCC CSR

In order to create a CSR on Exchange 2007, you must use the New-Exchange Certificate cmdlet which can be used from the Exchange Management Shell (EMS). To access Exchange Management Shell cmdlets, you must load the Exchange Management Shell from the Microsoft Exchange Server 2007 program menu.

Exchange Management Shell

1. Click Start, click Programs, and then click Microsoft Exchange Server 2007.
    
2. Then click Exchange Management Shell.
   
   The 'GenerateRequest' parameter for this cmdlet will create the CSR, as a PKCS#10 file which we will then use to create your certificate.
    
3. The 'SubjectName' parameter contains the details that are signed into the certificate. The 'CN' parameter is the PrimaryDomainName (Please use a fully qualified domain name [FQDN]), and should also be entered into the order form.
   
   An example command to generate a request would be:
   
   -> New-ExchangeCertificate -GenerateRequest -SubjectName "C=GB, O=Some Company, CN=exchange.example.net" -KeySize 2048 -Path c:\exchange.example.net.req
    
4. The resulting 'exchange.xyz.com.req' file can be opened in Notepad or similar text-editor and pasted into the order form.
   
   If you plan on exporting your certificate from your server or making a backup, you need to use the below command to enable this:
   
   -> New-ExchangeCertificate -GenerateRequest -SubjectName "C=GB, O=Some Company, CN=exchange.example.net" -KeySize 2048 -Path c:\exchange.example.net.req -PrivateKeyExportable $true
   
   This is the bare minimum that we require for UCC CSRs. Adding extra flags to the above command(s) may not have the intended result. We do not need the other domains included in the CSR, as there are other places for them on the UCC order form. To include them in the CSR use the following command:
   
   -> New-ExchangeCertificate -GenerateRequest -SubjectName "C=GB, O=Some Company, CN=exchange.example.net" -KeySize 2048 -DomainName server1, imap.server1.com, exchange.example.net, pop.server1.com -Path c:\exchange.example.net.req -PrivateKeyExportable $true

For more information on the Office Communications Server 2007 Certificate Wizard and installing certificates for Office Communications Server, see the deployment documentation available on the Office Communications Server 2007 Technical Library.

How to Install a UCC Certificate

Once you have purchased your UCC certificate from our partner Sectigo, and the domains have been validated as under your ownership, you will receive an email containing the certificate.
The certificate file should be copied onto your Exchange 2007 server. It is then installed using the Import-ExchangeCertificate cmdlet.

Open the Exchange Management Shell:

1. Click Start, click Programs, and then click Microsoft Exchange Server 2007.
2. Then click Exchange Management Shell.

   In this example, the certificate file is copied to the server as the file c:\exchange_example_net.crt

   Note: If a UCC was purchased, your certificate file will be ORDER_NUMBER.crt, or your certificate file will be the FQDN that you applied for.
3. Import-ExchangeCertificate -Path c:\exchange_example_net.crt | Enable-ExchangeCertificate -Services SMTP ; where c:\exchange_example_net.crt is your certificate that you received.

   The 'Services' flag sets which services the certificate is enabled for.

   Valid options include: SMTP IMAP POP IIS UM

   To enable multiple services:

   Import-ExchangeCertificate -Path c:\exchange_example_net.crt | Enable-ExchangeCertificate -Services "SMTP, POP, IMAP, IIS"; where c:\exchange_example_net.crt is your certificate that you received.

   Note: Once you have installed the site certificate, you may need to follow the procedure outlined in "Root and Intermediate Certificate installation via MMC" with the other files that you have been sent in order to complete the installation.

Managing UCC Certificates on Exchange 2007

Renewing a UCC Certificate

To renew a UCC certificate on Exchange 2007:

1. Generate a new CSR using the steps in How to Generate a UCC CSR.
2. Submit the CSR to your certificate provider (e.g., Sectigo) for renewal.
3. Once you receive the renewed certificate, follow the installation steps in How to Install a UCC Certificate.
4. Remove the old certificate using the command:
   Remove-ExchangeCertificate -Thumbprint <old_certificate_thumbprint>

Revoking a UCC Certificate

To revoke a UCC certificate:

1. Contact your certificate authority (CA) to request revocation.
2. After revocation, remove the certificate from Exchange 2007:
   Remove-ExchangeCertificate -Thumbprint <certificate_thumbprint>

Replacing a UCC Certificate

To replace an expired or compromised UCC certificate:

1. Generate a new CSR and obtain a replacement certificate.
2. Install the new certificate as described above.
3. Assign services to the new certificate:
   Enable-ExchangeCertificate -Thumbprint <new_thumbprint> -Services "SMTP, POP, IMAP, IIS"
4. Remove the old certificate:
   Remove-ExchangeCertificate -Thumbprint <old_thumbprint>

Viewing Installed UCC Certificates

To list all installed certificates on Exchange 2007:

Get-ExchangeCertificate | Format-List Thumbprint, Subject, Services, NotAfter

Troubleshooting UCC Certificate Issues

• If services are not working after installation, verify the certificate assignment using:
  Get-ExchangeCertificate | Format-List Services, Thumbprint, Status
• Check for certificate expiration dates and renew as needed.
• For MMC errors, remember: Do NOT use the Certificates snap-in for the MMC to install the certificate. This will not work for Exchange 2007!