Renew your Exchange Protection Certificate
Overview
If you have configured the Exhange Protection Integration on Exchange Online with Modern Authentication, your self-signed certificate for the authentication against Exchange Online will most likely expire every year or every second year, and failure to renew this certificate will result in failures in handling access to Exchange ActiveSync. You will receive a warning in the Silverback Management Console when the expiration date is approaching and this article provides instructions on how to create and update the new certificate.
Before your Start
- Login as an Administrator either on your local machine (cloud customers) or on your Silverback Server (on-premise customers)
Microsoft Azure
- Now open https://portal.azure.com
- Sign in with Administrator credentials
Review your current App Registration
- During the initial setup of your Exchange Protection, you have registered an App Registration within Microsoft Entra ID
- After logging in into https://portal.azure.com, select Microsoft Entra ID
- Select App registrations
- Locate your current App Registration, e.g. Silverback Exchange Online Connection
- Open your current App Registration that is used for the Exchange Protection
- Select Certificates & secrets
- You should see now your currently used certificate with an upcoming expiry date
- Review in the Description the CN value and use this later as DnsName
- Keep the window open, and proceed with generating a new self-signed certificate
Generate a new self-signed certificate
- Open PowerShell as an Administrator either on your local machine (cloud customers) or on your Silverback Server (on-premise customers)
- Adjust the DNS name and run the following command to generate the certificate
$mycert = New-SelfSignedCertificate -DnsName "imagoverum.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
- Open certlm.msc, navigate to Personal > Certificates and review your created certificate
- Perform a double-click on your certificate
- Select Details and note down your certificate thumbprint, e.g. 502ca2f6f74bc5ea7b21b6a18182da8209a4f266
- Press OK
- Additional steps for On-Premise Customers only
- Perform a right click on your certificate
- Select All Tasks > Managed Private Keys
- Press Add and add the Network Service
- Uncheck Full Control and ensure that Read is allowed
Cloud Customers will upload later the certificate with the Silverback Management Console, where the part with the Network Service will be executed automatically.
Export Public Key
- Adjust and run the following command to export the certificate
$mycert | Export-PfxCertificate -FilePath C:\Certificates\ExchangeOnlineSilverback.pfx -Password $(ConvertTo-SecureString -String "Pa$$w0rd" -AsPlainText -Force)
- Open File Explorer and navigate to C:\Certificates to review the *.pfx file
- Adjust and run the following command to export the public key
$mycert | Export-Certificate -FilePath C:\Certificates\ExchangeOnlineSilverback.cer
- Review the exported *.cer file in the C:\Certificates location
Attach certificate to your App Registration
- Navigate back to your Microsoft Entra ID window
- Inside your App registration, navigate to Certificates & secrets
- Select Certificates
- Press Upload certificate
- Press Select a File
- Navigate to your exported public key ExchangeOnlineSilverback.cer
- Select the *.cer file and click open or perform a double click
- Press Add
Try connection to Exchange Online
- Open a Text Editor an copy the thumbprint of the new certificate
- Now, at your Microsoft Entra ID window, navigate to Overview and copy the Application (client) ID to your Text Editor
- You should have noted down now 2 values, the thumbprint of the new certificate and your Application (client) ID.
- Now proceed with Connect to Exchange Online from the original integration guide and come back to this article after performing the Verify Connection step and executing one or two additional commands.
If you are having trouble connecting to Exchange Online through PowerShell, it might be because Microsoft has deprecated connecting to Exchange Online with the PowerShell module v2. In this case, update to a newer version by executing the following command: Update-Module -Name ExchangeOnlineManagement -RequiredVersion "3.4.0". After updating, close the PowerShell and retry the connection. You can check your current installed version by running Get-Module -ListAvailable -Name ExchangeOnlineManagement. Please note that newer versions may also work, but we want to emphasize that we have verified Exchange protection with the 3.4.0 version.
Update Certificate
- Open your Silverback Management Console
- Login as an Administrator
- Navigate to Admin
- Navigate to Exchange Protection
- As an On-Premise customer, select your new generated self signed certificate from the drop down list
- As an Cloud customer, press Upload and Install Certificate
- Select Choose File, locate and select your *.pfx file and press open
- Enter your Password for the *.pfx file, e.g. Pa$$w0rd
- Press OK
- Press Save and Confirm with Yes
Performance Check
- Please refer to Performance Check to verify that the certificate renewal was successful.
Delete old certificate(s)
- After successfully verifying the function of exchange protection with the new certificate, you can optionally delete the expired or soon-to-expire certificate from your app registration in Microsoft Entra so that you only have the current certificate on file.