Exchange 2013 SHA1 to SHA256

Exchange 2013 from SHA1 to SHA256 – Using a cert from an enterprise root certificate authority

As you may know SHA1 is being depreciated (see ms link) and MS will block SHA-1 signed TLS certificates starting Jan 1 2017.

I wanted to update my self signed Exchange certificate which was using SHA1 to SHA256. I requested a cert from my enterprise root certificate authority (Done through MMC – see https://myexchangelync.wordpress.com/2014/12/14/create-a-csr-with-sha256-signature-algorithm/). Applied the cert, used the Exch Management Shell command

(to view all certs to find the thumbprint)

get-exchangecertificate | fl

(to apply the cert to exchange services)

enable-exchangecertificate -thumbprint “ABC” -services IMAP,POP,IMAP,SMTP

I discovered after rebooting that the exchange management shell wouldn’t connect. A quick trick to fix this is to go into IIS and open “Exchange Back End”. Check bindings and make sure the new cert is selected. After an IISRESET or reboot this should fix the exchange management shell connection issue.

Everything seems to be working except I cannot login to OWA or ECP. I could open the owa website however it would not accept the administrator password. The page would refresh with no error code. When I typed the password wrong it would?say the password is wrong. After hours of scratching my head I found this website https://blogs.technet.microsoft.com/jasonsla/2015/01/15/the-one-with-the-fba-redirect-loop/

The main point is “Exchange FBA does not support CNG certificates. Exchange only uses and supports the legacy CryptoAPI which uses Cryptographic Service Providers (CSP).”

I requested another cert through MMC (see above) and selected “legacy CSP” and also made sure to select”Microsoft RSA SChannel Cryptographic Provider”.

Used the enable-exchangecertificate command again. Rebooted and now ECP/OWA works!! And the cert is now working as SHA256 🙂