Backup: windows - snapshot.

Outage: 1 hour outage window will be required - emails will queue, do out of hours.


Ensure you snapshot the server prior to making any changes!

1. Remote to MOPTHYBRID server and run EMS by admin. as show below.


A computer screen shot of a computer programDescription automatically generated


2. create a CSR by command

New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Wildcardcer2025" -SubjectName "c=AU,o=Melbourne and Olympic Park,cn=mail.mopt.vic.gov.au" -DomainName mail.mopt.vic.gov.au

 

3. Complete CSR by the following command, and download a copy of the certificate by refer to the guide  "Request a certicicate from DigiCert"

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('C:\Users\dli_admin\Desktop\Certificate\Wildcardcer2025.cer'))


4. Check certificate status by 

Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint


5. Blind certificate by log in to exchange admin center https://mail.mopt.vic.gov.au/ecp, follow the three steps of hte following image and completed the process.

 

A screenshot of a computerDescription automatically generated


6. You will need to update the send and receive connectors that are using the old certificate. Check the send connector TLS certificate by using the command: Get-SendConnector | Select identity, TlsCertificateName and check the receive connector TLS certificate by using the command: Get-ReceiveConnector | Select Name, FQDN, Bindings, AuthMechanism, TlsCertificateName. You can also check all certificates with this command: Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint this will help get the thumbprint for the next step.


7. To update the certificate, use the following commands - double check the connectors as they may have changed since this was last performed.

$cert = Get-ExchangeCertificate -Thumbprint 28BB7F10C17B82FA6BF72F4D8E65D72DEBD1B612 < replace the thumbprint with the new certificate thumbprint.

$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

Set-SendConnector -Identity "Outbound to Office 365 - f283627b-a81c-4214-a923-8305bdcd76be" -TLSCertificateName $tlscertificatename

Set-ReceiveConnector "MOPTHYBRID\Default Frontend MOPTHYBRID" -TlsCertificateName $tlscertificatename


8. After these steps, ensure the IIS service on the MOPTHYBRID server is using the new certificate.


9. Restart the machine to ensure the new certificate is applied.