How to Combine PEM Keys and Certificates for Microsoft Exchange Usage
Also good for Java stuff
Once I've obtained free SSL certificates from Let's Encrypt, preferrably wildcard ones, as described in another article here at Mimar - Let's Encrypt Wildcard Certificates On FreeBSD With BIND DNS Validation - I'm going to combine them into single PFX file so it can be used by Microsoft Exchange to secure IMAP, SMTP, POP and IIS services.
Assuming I'm storing my Let's Encrypt certificates in certbot's default directory, and my domain is example.org, the following command creates PFX file:
openssl pkcs12 -export -out exchange.pfx -name exchange \
-inkey /usr/local/etc/letsencrypt/live/example.org/privkey.pem \
-in /usr/local/etc/letsencrypt/live/example.org/cert.pem \
-certfile /usr/local/etc/letsencrypt/live/example.org/chain.pem
Importing exchange.pfx into Exchange Server should be as easy as navigating to Servers -> Certificates in ECP and specifying path to file. What remains to be done is to assign new certificate to services. While this can be done in ECP, I prefer to do it in PowerShell in order not to reset automatic redirection of http traffic to https.
Something like this should do the trick (just make sure to specify correct thumbprint):
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services POP,IMAP,SMTP,IIS -DoNotRequireSsl