How to automatically issue updated SLL Certs usign Let's Encrypt and Certify
Question asked by Steve Guluk - 10/22/2020 at 6:01 PM
Using SmarterMail Enterprise Version - 100.0.6956
And read this article that notes how to use Lets Encrypt and Certify to generate automatically renewing Certs:

Everything makes sense accept what to do with the final exported .pfx ?

Ive found the script worked and properly generated the .pxf file but how to confirm it’s actually installed or is there another step as the point is to not have to do an update every 60 days?

Details of script to export .pfx file:

 (Get-ChildItem -Path cert:\LocalMachine\My |
Where-Object {$_.Subject -like "*mail.sgdesign.net*"|
Sort-Object -Property NotAfter -Descending |
Select-Object -first 1| Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p’,'SomePassword',$_.Thumbprint, "C:\SmarterMail\Certificates\mail.sgdesign.net.pfx")} 


PS C:\SmarterMail\Scripts> C:\SmarterMail\Scripts\ExportCert.ps1
MY "Personal"
================ Certificate 22 ================
Serial Number: 03201f46dbc1d905df3627a04c6b208e7af4
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
 NotBefore: 10/22/2020 11:44 AM
 NotAfter: 1/20/2021 11:44 AM
Subject: CN=mail.sgdesign.net
Non-root Certificate
Cert Hash(sha1): ccb750e7eedf4542d11ae0e05545f3325a27b02c
  Key Container = {E0AA8159-5134-4720-9992-920A9776A201}
  Unique container name: de0b1ed3d1c6bce8e43ac9c9d093dfc1_6851084f-1742-4f77-91b6-2adb272ddc7e
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced Cryptographic Provider v1.0: KeySpec=1
Encryption test passed
Signature test passed
Microsoft Enhanced Cryptographic Provider v1.0: KeySpec=1
AES256+RSAES_OAEP(RSA:CNG) test passed
Encryption test passed (CNG)
Signature test passed (CNG)
CertUtil: -exportPFX command completed successfully.

PS C:\SmarterMail\Scripts>  

15 Replies

Reply to Thread
Karl Jones Replied
Make it easy on yourself and download the Certify the web app and use that to create the certificates and let the app do all the hard work.!!
Steve Guluk Replied
I have Certify (the web) but this question is related to the auto updates accomplished by Certify and the noted Batch script to install in SmarterMail
Karl Jones Replied
Steve, the newest version of the tool does the whole thing, by creating.renewing the certificate, setting up IIS and installing the certificate and it will also create crt files for other specific usage.
Steve Guluk Replied
Karl, I believe there is more than just having a self-renewing cert in IIS. Smartermail also needs an install separate from IIS which is not accomplished with Certify at this point.
Steve Guluk Replied
To clarify if you go to Settings > Bindings > Ports    we can assign a .cer or .pfx file 
In the past I used .cer files but based on the prior referenced Support Article and Batch file, I'm exporting a .pfx file

Hopefully they are interchangeable in SmarterMail and binding/targetting the newly created .pfx file will complete the process of automating with Let's Encrypt via Certify the Web.
David Fisher Replied
Hi Steve,

  You pretty much got it, as long as you have it setup in SmarterMail according to these instructions :

   The script will overwrite the old pfx file and SmarterMail will immediately start using the new SSL Cert!

Best Regards,

Karl Jones Replied
Make sure you have the current version of the Certify (the web) app. once you have created the certificate and got it to install into IIS goto the tasks options and under deployment tasks click add. Select deploy to generic server (multi purpose) under task parameters select local (current service users) under the output path of both crt and key type in the full file path (including the name of the cer/crt filename which has already been configured in the ports settings of smartermail so it ovewrites the one already there on renewal. This is an example of one i use E:\SmarterMail\Certificates\mail.xxxxxxxx.cer then save the whole task and test. make sure you create a testname first, so as not to overwrite your current .cer/crt file.
Steve Guluk Replied
@David Fisher, Yes it seems to be properly configured once I updates each port binding to point to the generates .pfx file.  I used https://www.checktls.com/TestReceiver to confirm proper TLS configuration which looks to confirm everything is correctly covered. The phone is not ringing off the hook so it seems everything is properly configured.

@Karl Jones, It looks like your creating a task (in Task Scheduler) to take the current assigned certificate, duplicate it using a known name to a specific directory and then using the as the target in SmarterMail Port Bindings.  This seems more similar to the Certs I was duplicating and targeting in years prior.

I guess there are multiple ways to skin this cat. Thanks to those that have replied to help!
Steve Norton Replied
I have a PowerShell script that runs on another server, every day it connects to the HTTPS, IMAP and SMTP SSL ports, checks the certificate expiry against the current date and emails me if it's expiring within a defined number of days. It could run on the SM host too.
I can generalise it and put it on GitHub if it's of any use to you.
Heimir Eidskrem Replied
Steve, that would be great if you did.


David Short Replied
So my email server is part of an internal domain  businessname.local - the .com domain is what the email server is servicing.  How should I get around this issue, as the certificates will only be issued to .com domains and the email server has a .local suffix....
Heimir Eidskrem Replied
The internal domain name does not matter.
You just add the domains you need the certificate for to the IIS bindings.

Steve Norton Replied
I still need to work on the GitHub documents but the Test-CertificateExpiryDate.ps1 can be downloaded. Please create an issue in GitHub for problems or feature enhancement requests.
It can test multiple hosts and multiple ports, it can email alerts and create Windows event log entries for SIEM integration. It should be run under 'SYSTEM' as a scheduled task after initial testing at a PowerShell prompt. It supports tab completion using parameters.
Test-CertificateExpiryDate.ps1 -Name "outlook.office365.com" -ExpiryThreshold 72 -AlertToAddress "support@mydomain.com" -port 443, 993
Jade D Replied
We use the following with LE 

Download the pluggable version, unlock, extract and copy to your mail server.
Open settings_default.json and change 
"PrivateKeyExportable": false,
"PrivateKeyExportable": true,

Save the following as a .ps1 file and executed it on a daily basis
$pswd = ConvertTo-SecureString -String "YouRPassWordHere" -Force -AsPlainText
Get-ChildItem -Path Cert:\localmachine\Webhosting | Where-Object {$_.Subject -like "*certificate_name_referenced_within_iis*"} | Export-PfxCertificate -FilePath "C:\SmarterMail\sslnamehere.pfx" -Password $pswd

Instructions for ps1
change YouRPassWordHere  to your exportable pfx password
change certificate_name_referenced_within_iis  to what ever your cert is referenced within IIS on the mail server
change sslnamehere to what ever you are going save the pfx as, and smartermail must be configured to reference this file
Steve Norton Replied
Does anyone else use 'Centralized Certificate Store' in IIS. I see many post that have the certificate going in to the computer store to then be extracted to a PFX. My setup is;
  • SmarterMail points to a PFX with a password
  • IIS points to a PFX with the same password (the same PFX copied by the script with a different name - historical reasons, aka too lazy to change)
Script 1 runs daily and checks the expiry date on the related ports, if they are expiring it connects to LE and brings down a new certificate which is saved as a PFX with the password and overwrites the old PFX. SmarterMail and IIS, over a short period of time, start using the new certificate.
Script 2 runs daily and checks the expiry dates on the related ports to check that script 1 is doing it's job (my post above).
At no point is the certificate put into the computer store and then found again using 'Where-Object' for example.
TLDR - Cert check for expiry, script brings in new PFX, SM and IIS pick it up automatically, 0% admin intervention, runs automatically year on year.

Reply to Thread