Replacing the Edge Certificate on a CCE

Just a quick one here, at some point you may need to replace your CCE Edge certificate. It’s a pretty straight forward process, but thought I would document it.

  1. Ensure that the CCE is currently running OK before you start:`

     Get-CCApplianceStatus
    

    If the certificate has already expired it might throw some errors with stopped services, which we will fix!

  2. As Greig Sheridan mentioned in his blog post on a similar subject matter, ensure your CCE has .NET 4.6.1 (or later) installed or you will get a strange “commond” error. Note: This Technet article now also makes mention of this too. In most scenarios, if it is below 4.6.1 there will be a Windows update waiting for you.

  3. Raise a CSR if you haven’t already. The Common Name should be the FQDN of the “Access Proxy” in your CCE .ini file. The SANs should be the FQDN of the “Access Proxy” and sip.domain.com (domain on ap. and sip. should match).

  4. Once raised import the certificate and export as a .pfx including the chain, making note of the import passphrase.

  5. We now need to put the CCE in to maintenance mode using:

     Enter-CCUpdate
    
  6. Now let’s change the path of where the external certificate is stored to the new one:

     Set-CcExternalCertificateFilePath -Target EdgeServer -Path <Full file path of new certificate including filename> -Import
    

    If the import passphrase is different to the passphrase from the previous certificate, you may get an error stating that the password needs to be changed.

    As the output dictates, run the following to apply the new passphrase (and then re-reun Set-CcExternalCertificateFilePath again):

     Register-CcAppliance -Local
    
  7. Once the certificate has been applied successfully, we can now safely exit maintenance mode:

     Exit-CCUpdate
    
  8. Confirm the certificate has indeed been updated. I like to browse to https://:5061 and check the certificate in the browser:

Hope this helps someone.