Make it easy on yourself and download the Certify the web app and use that to create the certificates and let the app do all the hard work.!!

I have Certify (the web) but this question is related to the auto updates accomplished by Certify and the noted Batch script to install in SmarterMail

Steve, the newest version of the tool does the whole thing, by creating.renewing the certificate, setting up IIS and installing the certificate and it will also create crt files for other specific usage.

Karl, I believe there is more than just having a self-renewing cert in IIS. Smartermail also needs an install separate from IIS which is not accomplished with Certify at this point.

To clarify if you go to Settings > Bindings > Ports    we can assign a .cer or .pfx file 

In the past I used .cer files but based on the prior referenced Support Article and Batch file, I'm exporting a .pfx file

Hopefully they are interchangeable in SmarterMail and binding/targetting the newly created .pfx file will complete the process of automating with Let's Encrypt via Certify the Web.

Hi Steve,

  You pretty much got it, as long as you have it setup in SmarterMail according to these instructions :

   The script will overwrite the old pfx file and SmarterMail will immediately start using the new SSL Cert!

Best Regards,

-dave

Make sure you have the current version of the Certify (the web) app. once you have created the certificate and got it to install into IIS goto the tasks options and under deployment tasks click add. Select deploy to generic server (multi purpose) under task parameters select local (current service users) under the output path of both crt and key type in the full file path (including the name of the cer/crt filename which has already been configured in the ports settings of smartermail so it ovewrites the one already there on renewal. This is an example of one i use E:\SmarterMail\Certificates\mail.xxxxxxxx.cer then save the whole task and test. make sure you create a testname first, so as not to overwrite your current .cer/crt file.

@David Fisher, Yes it seems to be properly configured once I updates each port binding to point to the generates .pfx file.  I used https://www.checktls.com/TestReceiver to confirm proper TLS configuration which looks to confirm everything is correctly covered. The phone is not ringing off the hook so it seems everything is properly configured.

@Karl Jones, It looks like your creating a task (in Task Scheduler) to take the current assigned certificate, duplicate it using a known name to a specific directory and then using the as the target in SmarterMail Port Bindings.  This seems more similar to the Certs I was duplicating and targeting in years prior.

I guess there are multiple ways to skin this cat. Thanks to those that have replied to help!

I have a PowerShell script that runs on another server, every day it connects to the HTTPS, IMAP and SMTP SSL ports, checks the certificate expiry against the current date and emails me if it's expiring within a defined number of days. It could run on the SM host too.
I can generalise it and put it on GitHub if it's of any use to you.

Steve, that would be great if you did.

H.

So my email server is part of an internal domain  businessname.local - the .com domain is what the email server is servicing.  How should I get around this issue, as the certificates will only be issued to .com domains and the email server has a .local suffix....

David,  

The internal domain name does not matter.

You just add the domains you need the certificate for to the IIS bindings.

I still need to work on the GitHub documents but the Test-CertificateExpiryDate.ps1 can be downloaded. Please create an issue in GitHub for problems or feature enhancement requests.
It can test multiple hosts and multiple ports, it can email alerts and create Windows event log entries for SIEM integration. It should be run under 'SYSTEM' as a scheduled task after initial testing at a PowerShell prompt. It supports tab completion using parameters.

e.g.
Test-CertificateExpiryDate.ps1 -Name "outlook.office365.com" -ExpiryThreshold 72 -AlertToAddress "support@mydomain.com" -port 443, 993

We use the following with LE 

Download the pluggable version, unlock, extract and copy to your mail server.

Open settings_default.json and change 

"PrivateKeyExportable": false,

to

"PrivateKeyExportable": true,

Save the following as a .ps1 file and executed it on a daily basis

$pswd = ConvertTo-SecureString -String "YouRPassWordHere" -Force -AsPlainText
Get-ChildItem -Path Cert:\localmachine\Webhosting | Where-Object {$_.Subject -like "*certificate_name_referenced_within_iis*"} | Export-PfxCertificate -FilePath "C:\SmarterMail\sslnamehere.pfx" -Password $pswd

Instructions for ps1

change YouRPassWordHere  to your exportable pfx password

change certificate_name_referenced_within_iis  to what ever your cert is referenced within IIS on the mail server

change sslnamehere to what ever you are going save the pfx as, and smartermail must be configured to reference this file

Does anyone else use 'Centralized Certificate Store' in IIS. I see many post that have the certificate going in to the computer store to then be extracted to a PFX. My setup is;

Script 1 runs daily and checks the expiry date on the related ports, if they are expiring it connects to LE and brings down a new certificate which is saved as a PFX with the password and overwrites the old PFX. SmarterMail and IIS, over a short period of time, start using the new certificate.

Script 2 runs daily and checks the expiry dates on the related ports to check that script 1 is doing it's job (my post above).

At no point is the certificate put into the computer store and then found again using 'Where-Object' for example.

TLDR - Cert check for expiry, script brings in new PFX, SM and IIS pick it up automatically, 0% admin intervention, runs automatically year on year.

I could be mistaken but with Certify The Web 5.x, under Deployment Tasks, isn't it possible to use the built-in GUI to automatically export the file (with its full destination path and name), thereby avoiding the need for additional PowerShell tasks?

EDIT TO PREVIOUS POST: Karl Jones already touched on this on 10/23/2020 at 3:11 PM.

I did indeed, and thanks for pointing it out SmP, I thought i made it pretty clear it was now an all in one option.. Please also note that you need to type the file name as part of the destination path otherwise you get an error.