Create a migration batch in Exchange Admin Center and add the mailboxes that you like…
Export Let’s Encrypt certificate in Windows Server
In a previous article, we installed Let’s Encrypt in Exchange Server. Everything works great on the Exchange Server, and a secure connection is showing when accessing the OWA URL. What if you have more than one Exchange Server running in the organization? In this article, you will learn how to export Let’s Encrypt certificate in Windows Server step by step.
You like to export the Let’s Encrypt certificate private key and import it on the other Exchange Servers. You first need to import the private key. This way you will be able to export the Let’s Encrypt certificate in Windows. The next step is to export the certificate.
Table of contents
Let’s Encrypt SSL certificate is not exportable
It’s good to know what happens if you don’t have the private key installed. Let’s see it in action.
Start MMC (Microsoft Management Console) and add the certificate snap-in. Right-click the Let’s Encrypt certificate and click All Tasks. Click Export…
The certificate export wizard is showing. Click Next.
The option we need is Yes, export the private key. We can’t select the option to export the private key because it’s greyed out. Click Cancel to go back.
In the next step, we are going to import the private key. When imported, we will do the same step as we just did. This time we will be able to select the option to export the private key. More on that later in the article.
Find private key password in Win-ACME
Before we can import the private key on the system, we have to get the certificate password. The certificate password can be found in the Win-ACME client.
Go to the Win-ACME folder and start the Win-ACME client. Select A to manage renewals and press Enter.
A simple Windows ACMEv2 client (WACS)
Software version 2.1.22.1260 (release, pluggable, standalone, 64-bit)
ACME server https://acme-v02.api.letsencrypt.org/
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Please choose from the menu: A
Select D to show the renewal details and press Enter.
Welcome to the renewal manager. Actions selected in the menu below will be
applied to the following list of renewals. You may filter the list to target
your action at a more specific set of renewals, or sort it to make it easier
to find what you're looking for.
1: mail.exoip.com - renewed 1 time, due after 2020/8/8 18:08:45
E: Edit renewal
D: Show details for the renewal
R: Run the renewal
A: Analyze duplicates for the renewal
C: Cancel the renewal
V: Revoke certificate(s) for the renewal
Q: Back
Choose an action or type numbers to select renewals: D
Find the certificate .pfx password and copy the password. In my example it’s n8LVJLxx2vQrC3QB2G7cn/mdeMK/RyGMBt8ECq8GYjs=.
Details for renewal 1/1
Id: xfRT7WjC40mP2rVUt1uybg
File: xfRT7WjC40mP2rVUt1uybg.renewal.json
FriendlyName: mail.exoip.com
.pfx password: n8LVJLxx2vQrC3QB2G7cn/mdeMK/RyGMBt8ECq8GYjs=
Renewal due: 08/08/2020 18:08:45
Renewed: 1 times
Target -----------------------------------------------------------------
- Plugin: Manual - (Manual input)
- CommonName: mail.exoip.com
- AlternativeNames mail.exoip.com,autodiscover.exoip.com
Validation -----------------------------------------------------------------
- Plugin: SelfHosting - (Serve verification files from memory)
Order -----------------------------------------------------------------
- Plugin: Single - (Single certificate)
CSR -----------------------------------------------------------------
- Plugin: RSA - (RSA key)
Store -----------------------------------------------------------------
- Plugin: CertificateStore - (Windows Certificate Store)
- Store: My
- AclFullControl: network service,administrators
Installation -----------------------------------------------------------------
- Plugin: IIS - (Create or update https bindings in IIS)
Installation -----------------------------------------------------------------
- Plugin: Script - (Start external script or program)
- Script: ./Scripts/ImportExchange.ps1
- ScriptParameters '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}'
'{CachePassword}' '{CertFriendlyName}'
History -----------------------------------------------------------------
1: 14/06/2020 16:08:45 - Success - Thumbprint E06F2B82608090BAE540841E3EA9895804951F83
Press <Enter> to continue
Now that we have the password for the private key, we can import the certificate in the system.
Import private key in Windows
Open the following path to find the certificate.
C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
Double-click the certificate to start the certificate import wizard.
Select Local Machine and click Next.
The file name path will be filled in automatically. Click Next.
Paste the private key password that you copied in the earlier step. Check both of the checkboxes:
- Mark this key as exportable. This will allow you to back up or transport your keys at a later time.
- Include all extended properties
Click Next.
Click Next to automatically select the certificate store based on the type of certificate.
Click Finish to complete the certificate import wizard.
Certificate import was successful. Click OK.
The next step is to export the Let’s Encrypt certificate. Remember at the beginning of the article, we couldn’t export the certificate because of the private key not being exportable. Will we be able to select the option now?
Export Let’s Encrypt certificate to PFX
Click the refresh button in the toolbar, if you already have the MMC console open. If you want, you can close the MMC and start a new session.
Start MMC and add the certificate snap-in. Right-click the Let’s Encrypt certificate and click All Tasks. Click Export…
Click Next.
Export is this time selectable. Click Yes, export the private key and click Next.
Check the following checkboxes:
- Include all certificates in the certification path if possible
- Export all extended properties
- Enable certificate privacy
Click Next.
Select the checkbox Password. Fill in a secure password that will protect the certificate. You will need the password when importing the certificate. Click Next.
Click Browse and select a folder that you want to place the certificate in. In my example, it will be in the folder Certs on the C: drive. Make sure to write the name including PFX format.
Click Finish to complete the certificate export wizard.
The certificate export was successful. Click OK.
Start File Explorer and browse to the exported certificate. This is the exported Let’s Encrypt certificate including the private key.
Let’s Encrypt certificate private key is successfully exported in Windows Server. Now that you have the certificate you can import the certificate in another Exchange Server.
Conclusion
In this article, you learned how to export Let’s Encrypt certificate private key. It’s good to export the certificate and import the certificate on other Exchange Servers. Find the password by starting the Win-ACME client. Install the private key with the password. After that, the certificate is exportable. You should not request a certificate per Exchange Server. One certificate can be installed on all the Exchange Servers.
I hope you enjoyed this article. You may also like Outlook search bar moved to top. Don’t forget to follow us and share this article.
Thank you very much!
Very good instructions! The private key trick is not described everywhere. Cool!
Thank you!
Folks, i have a question..
I you export the cert from the exchange server and upload it to the Kemp Load Balancer, will this exported cert renew automaticaly when the Exchange Server renews his cert? If not, we are forced to export the cert from Exchange and import to the load balancer every 30 days.
You have to upload it manually every 90 days.
THANK YOU!!!!!
I really appreciate the time you take to make this article and many others that have been extremely helpful!
Has someone been able to automate this?
I would like to automatically export/import/assign the script to an Edge server.
My guess is this should be possible by tweaking the Scripts/ImportExchange.ps1 script.
Thanks for any input!
Ashley.
The first time, I have had little trouble to implement LetsEncrypt using the WACS tool
Today I started with the first renewal process and the renewal went flowless. The issue I have now is that the .pfx password is not being recognized when trying to import the certificate of convert with OpenSSL.
Any idea where I am going wrong?
Appreciate your feedback
Great Info
it works for me, and that’s exactly the problem I had. Thanks!!
Hello
Your article helped me quite a lot thank you. But how would you automate this? If we have multiple Exchange Servers we would have to do this on every renewal again?
Thank you
For multiple exchange and edge, u just need to add their name where it ask and also after getting the cert, just import it to other servers.