In my previous blog post, we looked at retrieving the IIS bindings for the Exchange Back End. As mentioned, Windows Server 2019 and 2022 core is limited with what you can access from a GUI perspective. I wanted to be able to update the SSL certificate on the Exchange Back End Binding without having to open IIS on a machine and change it.
The script that I put together displays the current bindings set and then provides a list of all the available certificates you can select to update it with as shown below:
Once you select a number, in the example above, I chose 2, it will update it. I had 3 set to test with and opening up IIS, the one selected in the script was set on 444 binding.
Script
The script is a bit long but it works well, you can change it another site if you need to on a server that is running IIS with just a “Default Web Site”
# Import the Exchange module
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
# Import the WebAdministration module
Import-Module WebAdministration
# Specify the Exchange Back End website name
$exchangeBackendSiteName = "Exchange Back End"
# Get the existing bindings for the Exchange Back End
$exchangeBackendBindings = Get-WebBinding -Name $exchangeBackendSiteName
# Display current bindings
Write-Host "Current bindings for $exchangeBackendSiteName"
$exchangeBackendBindings | Format-Table
# Get the list of Exchange certificates on the server
$exchangeCertificates = Get-ExchangeCertificate
# Display the list of available certificates
Write-Host "Available Exchange Certificates:"
$index = 1
$exchangeCertificates | ForEach-Object {
Write-Host "$index. Thumbprint: $($_.Thumbprint), Subject: $($_.Subject), Expiry Date: $($_.NotAfter)"
$index++
}
# Prompt to choose a certificate
$selectedCertificateIndex = Read-Host "Enter the index of the new SSL certificate"
# Validate the input
if ($selectedCertificateIndex -lt 1 -or $selectedCertificateIndex -gt $exchangeCertificates.Count) {
Write-Host "Invalid index. Script exiting."
exit
}
# Get the selected certificate
$selectedCertificate = $exchangeCertificates[$selectedCertificateIndex - 1]
# Loop through each binding and update the SSL certificate
foreach ($binding in $exchangeBackendBindings) {
# Update only HTTPS bindings
if ($binding.Protocol -eq "https") {
# Set the new SSL certificate thumbprint
$binding.RemoveSslCertificate()
$binding.AddSslCertificate($selectedCertificate.GetCertHashString(), "My") # Change this if your certificate is stored in a different store
}
}
# Display updated bindings
Write-Host "Updated bindings for $exchangeBackendSiteName"
#Get-WebBinding -Name $exchangeBackendSiteName | Format-Table
The last line I added but commented out as it just shows the bindings again for the Exchange Back End Website. If you were adding an additional one then you can enable it to show you the new bindings.
Hope it helps.