diff --git a/Admin/MonitorExchangeAuthCertificate/ConfigurationAction/New-ExchangeAuthCertificate.ps1 b/Admin/MonitorExchangeAuthCertificate/ConfigurationAction/New-ExchangeAuthCertificate.ps1 index 6adb3f7bf7..0396186cf5 100644 --- a/Admin/MonitorExchangeAuthCertificate/ConfigurationAction/New-ExchangeAuthCertificate.ps1 +++ b/Admin/MonitorExchangeAuthCertificate/ConfigurationAction/New-ExchangeAuthCertificate.ps1 @@ -120,7 +120,14 @@ function New-ExchangeAuthCertificate { if (($null -ne $internalTransportCertificate.Services) -and ($internalTransportCertificate.Services -ne 0)) { - $servicesToEnableList.AddRange(($internalTransportCertificate.Services).ToString().ToUpper().Split(",").Trim()) + $transportCertificateServices = ($internalTransportCertificate.Services).ToString().ToUpper().Split(",").Trim() + if ($transportCertificateServices.Count -eq 1) { + # Use the Add() method if only one service is bound to the transport certificate + $servicesToEnableList.Add($transportCertificateServices) + } else { + # Use the AddRange() method otherwise + $servicesToEnableList.AddRange($transportCertificateServices) + } # Make sure to remove IIS from list if the certificate was not bound to Front End Website before if (($isInternalTransportBoundToIisFe -eq $false) -and @@ -287,7 +294,13 @@ function New-ExchangeAuthCertificate { try { Write-Verbose ("[Required] Step 1: Set certificate: $($newAuthCertificateThumbprint) as the next Auth Certificate") if ($PSCmdlet.ShouldProcess("Certificate: $newAuthCertificateThumbprint Date: $nextAuthCertificateActiveOn", "Set-AuthConfig")) { - Set-AuthConfig -NewCertificateThumbprint $newAuthCertificateThumbprint -NewCertificateEffectiveDate $nextAuthCertificateActiveOn -Force -ErrorAction Stop + $setAuthConfigParams = @{ + NewCertificateThumbprint = $newAuthCertificateThumbprint + NewCertificateEffectiveDate = if ($EnableDaysInFuture -eq 0) { Get-Date } else { $nextAuthCertificateActiveOn } + Force = $true + ErrorAction = "Stop" + } + Set-AuthConfig @setAuthConfigParams } if ($EnableDaysInFuture -eq 0) { @@ -329,7 +342,7 @@ function New-ExchangeAuthCertificate { #> Write-Verbose "Calling: $($MyInvocation.MyCommand)" - $newAuthCertificateActiveOn = (Get-Date) + $newAuthCertificateActiveOn = $null $renewalSuccessful = $false $newAuthCertificateObject = GenerateNewAuthCertificate @@ -339,8 +352,15 @@ function New-ExchangeAuthCertificate { Write-Verbose ("New Auth Certificate with thumbprint: $($newAuthCertificateThumbprint) generated - the existing one will be replaced immediately with the new one") try { Write-Verbose ("[Required] Step 1: Set certificate: $($newAuthCertificateThumbprint) as new Auth Certificate") - if ($PSCmdlet.ShouldProcess("Certificate: $newAuthCertificateThumbprint Date: $newAuthCertificateActiveOn", "Set-AuthConfig")) { - Set-AuthConfig -NewCertificateThumbprint $newAuthCertificateThumbprint -NewCertificateEffectiveDate $newAuthCertificateActiveOn -Force -ErrorAction Stop + if ($PSCmdlet.ShouldProcess("Certificate: $newAuthCertificateThumbprint Date: immediately", "Set-AuthConfig")) { + # We must use Get-Date here to ensure that the date which is passed to NewCertificateEffectiveDate parameter is a valid one + $setAuthConfigParams = @{ + NewCertificateThumbprint = $newAuthCertificateThumbprint + NewCertificateEffectiveDate = ($newAuthCertificateActiveOn = Get-Date) + Force = $true + ErrorAction = "Stop" + } + Set-AuthConfig @setAuthConfigParams } Write-Verbose ("[Required] Step 2: Publish the new Auth Certificate") diff --git a/Admin/MonitorExchangeAuthCertificate/DataCollection/Get-ExchangeAuthCertificateStatus.ps1 b/Admin/MonitorExchangeAuthCertificate/DataCollection/Get-ExchangeAuthCertificateStatus.ps1 index 2b30b9594f..d6e5e9ffcf 100644 --- a/Admin/MonitorExchangeAuthCertificate/DataCollection/Get-ExchangeAuthCertificateStatus.ps1 +++ b/Admin/MonitorExchangeAuthCertificate/DataCollection/Get-ExchangeAuthCertificateStatus.ps1 @@ -32,8 +32,9 @@ function Get-ExchangeAuthCertificateStatus { $configureNextAuthRequired = $false $importNextAuthCertificateRequired = $false - $currentAuthCertificateValidInDays = 0 - $nextAuthCertificateValidInDays = 0 + # Make sure to initialize this with -1 as this is needed to properly run the validation in case that we're unable to query this information + $currentAuthCertificateValidInDays = -1 + $nextAuthCertificateValidInDays = -1 $exchangeServersUnreachableList = New-Object 'System.Collections.Generic.List[string]' $exchangeServersReachableList = New-Object 'System.Collections.Generic.List[string]' @@ -116,11 +117,41 @@ function Get-ExchangeAuthCertificateStatus { ($IgnoreUnreachableServers))) { if ($exchangeServersReachableList.Count -gt $currentAuthCertificateMissingOnServersList.Count) { - $currentAuthCertificateValidInDays = (($currentAuthCertificate.NotAfter) - (Get-Date)).Days + if ($null -ne $currentAuthCertificate.NotAfter) { + $currentAuthCertificateValidInDays = (($currentAuthCertificate.NotAfter) - (Get-Date)).Days + + if (($currentAuthCertificate.NotAfter).Date -lt (Get-Date)) { + if ($currentAuthCertificateValidInDays -eq 0) { + Write-Verbose ("The current Auth Certificate has expired today") + $currentAuthCertificateValidInDays = -1 + } else { + Write-Verbose ("The current Auth Certificate has already expired {0} days ago" -f [System.Math]::Abs($currentAuthCertificateValidInDays)) + } + } else { + Write-Verbose ("The current Auth Certificate is still valid") + } + } else { + Write-Verbose ("There is no Auth Certificate configured") + } } if ($exchangeServersReachableList.Count -gt $nextAuthCertificateMissingOnServersList.Count) { - $nextAuthCertificateValidInDays = (($nextAuthCertificate.NotAfter) - (Get-Date)).Days + if ($null -ne $nextAuthCertificate.NotAfter) { + $nextAuthCertificateValidInDays = (($nextAuthCertificate.NotAfter) - (Get-Date)).Days + + if (($nextAuthCertificate.NotAfter).Date -lt (Get-Date)) { + if ($nextAuthCertificateValidInDays -eq 0) { + Write-Verbose ("The next Auth Certificate has expired today") + $nextAuthCertificateValidInDays = -1 + } else { + Write-Verbose ("The next Auth Certificate has already expired {0} days ago" -f [System.Math]::Abs($nextAuthCertificateValidInDays)) + } + } else { + Write-Verbose ("The next Auth Certificate is still valid") + } + } else { + Write-Verbose ("There is no next Auth Certificate configured") + } } if (($currentAuthCertificateValidInDays -lt 0) -and diff --git a/Admin/MonitorExchangeAuthCertificate/DataCollection/Tests/Get-ExchangeAuthCertificateStatus.Tests.ps1 b/Admin/MonitorExchangeAuthCertificate/DataCollection/Tests/Get-ExchangeAuthCertificateStatus.Tests.ps1 index 3dda480447..da01f6baca 100644 --- a/Admin/MonitorExchangeAuthCertificate/DataCollection/Tests/Get-ExchangeAuthCertificateStatus.Tests.ps1 +++ b/Admin/MonitorExchangeAuthCertificate/DataCollection/Tests/Get-ExchangeAuthCertificateStatus.Tests.ps1 @@ -254,7 +254,7 @@ Describe "Testing Get-ExchangeAuthCertificateStatus.ps1" { It "Should Not Return That An Auth Certificate Renewal Action Is Required" { $results | Should -Not -BeNullOrEmpty - $results.CurrentAuthCertificateLifetimeInDays | Should -Be 0 + $results.CurrentAuthCertificateLifetimeInDays | Should -Be -1 $results.ReplaceRequired | Should -Be $false $results.ConfigureNextAuthRequired | Should -Be $false } diff --git a/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 b/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 index b5e74e3136..65795269c4 100644 --- a/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 +++ b/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 @@ -673,8 +673,10 @@ function Main { } Write-Host ("") Write-Host ("Test result: $($renewalActionWording)") -ForegroundColor Cyan - if (($authCertStatus.AuthCertificateMissingOnServers.Count -gt 0) -or - ($authCertStatus.NextAuthCertificateMissingOnServers.Count -gt 0)) { + if ((($authCertStatus.AuthCertificateMissingOnServers.Count -gt 0) -and + ($authCertStatus.CurrentAuthCertificateImportRequired)) -or + (($authCertStatus.NextAuthCertificateMissingOnServers.Count -gt 0) -and + ($authCertStatus.NextAuthCertificateImportRequired))) { Write-Host ("`rThe script will try to import the certificate to the missing servers automatically (as long as it's valid).") -ForegroundColor Cyan } }