Free Exchange Certificate

KB ID 0001739

Problem

A couple of weeks ago I wrote an article about getting free certificates for IIS with ‘Let’s Encrypt’. Last week the renewal for my ‘test’ Exchange server’s certificate came though. So I thought “Why don’t I try and get a ‘Free Exchange Certificate’?”

Free Exchange Certificate

Before we start let’s take a moment to take a look at our existing Exchange Certificate, as you can see it’s a publicly signed and trusted certificate, the only thing wrong with it, is it’s going to expire in a couple of weeks, yours may have already expired, or you may be running a self signed SSL certificate, (horror!)

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Extract the contents of that zip file to a folder on your hard drive.

Apply For & Install the Free Exchange Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

WARNING: Some other run throughs I’ve read, have different option numbers, (wacs.exe has obviously been updated). So instead of just posting the Number to select I’ll post the Option, then put the number, (or letter) of that option in brackets, (in case they change the option numbers again!)

Create a new certificate (full options) {m} > Manual Input {2}.

Manual Input {2} > Enter the public filly qualified domain name(s) of your exchange server (spectated by commas) > Press Enter to accept the default friendly name (unless you want to specify your own).

[http-01] Serve certification files from memory {2} > RSA Key {2}. 

Note: You will need TCP Port 80 open to the Exchange server for this to work, (in most cases you will only have HTTPS or TCP Port 443 open!)

Windows certificate store {4} > No (additional) store steps {5}.

Create or update https binding in IIS {1} > Default Web Site {1} > Start external script or program {3} > Paste in the following;

[box]

./Scripts/ImportExchange.ps1

[/box]

At the prompt paste in the following;

[box]

'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

[/box]

No (additional) installation steps {4}.

No, (or it will open the terms and conditions in another window) > Yes (your soul now belongs to Let’s Encrypt!) > Type in an email address  > Quit {q}

Now reconnect to either OWA or the Exchange Admin Center > And you should see you have a new certificate.

It only lasts three months! That’s correct but;

Let’s Encrypt Free Exchange Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like enter the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt Exchange Free Certificate & Settings

  1. Remove the certificate from Exchange Admin Center.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA