Digital cert expired - Please help
-
Wednesday, June 16, 2010 3:52 PM
Hi all, I am picking up from where a previous administrator left off and I am a bit stuck on our state of play regarding digital certs in Outlook 2007…I was hoping someone could help..
This explanation is a bit long winded but I just wanted to explain my exact position…..
We are currently experiencing issues due to an expired cert..
When we go to outlook web access (OWA) you receive an error saying certificate has expired.
When I check the cert in a browser I can see that it is valid from 15/05/2008 to 12/05/2010.
So it is indeed out of date..
We also received warnings about the expired cert when using Outlook 2007 internally in our organisation.
Now the cert that’s expired says that it was issued by DCxxxxxxx. ( This is our domain controller).
I’ve been told previously that I need to create a new cert using Powershell scripts..?
When I check expired exchange cert in power shell it shows
IsSelfSigned : False
Issuer : CN = DCxxxxxxx (Our DC)
Status: DateInvalid
So from my reading of this , it is NOT an exchange self assigned cert.
The cert has been issued by our domain controller.
Question: So I don’t re-issues a cert through exchange ?
When I check our domain controller it has a program called certification Authority.
However this certificate service is NOT running and is set to manual.
Question(s) : How can my DC issue a cert if this is stopped ?, Is there a reason why this is not running?, should I start the service ?, what effect will this have ?
I’m a bit worried that certification authority was stopped for a reason ?
Could someone please point me in the right direction and maybe some tutorials also ?
Thx,
Ray..
Answers
-
Thursday, June 17, 2010 7:55 AM
Hi Ray,
If you want to request a new certificate for exchange server, the certification Authority server must be running. To check if your certification Authority server is working, please first open services.msc, and make sure that the 'Certificate services' is started. Then try to access the certsrv web on your certification Authority server , such as http://DC.domain.com/certsrv. If it works, please follow these steps to import a new certificate for exchange.
Step 1: Certificate Request
====================
1. Open Exchange management shell, type:
New-exchangecertificate -DomainName exchange.domain.com -SubjectName "c=us, o=contoso corp, cn=exchange.domain.com" –PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\CertRequest.req"
Note: exchange.domain.com is FQDN of your exchange server.
-SubjectName, Use this parameter to specify the Subject Name on the resulting certificate. The following X.500 fields may be present:
C = Country
ST = State
L = Location
O = Organization
OU = Organizational Unit
CN = Common Name
If the certificate request is correctly generated, a certificate request file will be created in the root of the system drive and the Exchange Management Shell will display a Thumbprint for the request.
2. Open http://DC.domain.com/certsrv, click "Request a certificate", click "Advanced certificate request". Click "Submit a certificate request by using a base-b4-encode..."
3. Locate C:\CertRequest.req, open it by using notepad. Copy the all content(including--BEGAIN...-- and --End---...) to the "Saved Request" field.
4. Under Certificate Template, click Web server. Click Submit.
5. Click Download certificate and save it to the root path of C drive:.
Step 2: Import and enable this new certificate
==================================================
1. Open Exchange management shell, type:
Import-exchangecertificate -path "c:\certnew.cer"
If the certificate is successfully imported, the Exchange Management Shell will display a Thumbprint for this new certificate.
2. To enable this certificate for exchange services, type:
Enable- exchangecertificate <Thumbprint> -services:"pop","IIS","SMTP","IMAP"
If you get the error "PricateKyeMissing", please refer following article:
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1188
- Marked As Answer by rwaldron Thursday, June 24, 2010 2:12 PM
All Replies
-
Thursday, June 17, 2010 7:25 AM
Hi
Have a look at this:
http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/
Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog -
Thursday, June 17, 2010 7:55 AM
Hi Ray,
If you want to request a new certificate for exchange server, the certification Authority server must be running. To check if your certification Authority server is working, please first open services.msc, and make sure that the 'Certificate services' is started. Then try to access the certsrv web on your certification Authority server , such as http://DC.domain.com/certsrv. If it works, please follow these steps to import a new certificate for exchange.
Step 1: Certificate Request
====================
1. Open Exchange management shell, type:
New-exchangecertificate -DomainName exchange.domain.com -SubjectName "c=us, o=contoso corp, cn=exchange.domain.com" –PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\CertRequest.req"
Note: exchange.domain.com is FQDN of your exchange server.
-SubjectName, Use this parameter to specify the Subject Name on the resulting certificate. The following X.500 fields may be present:
C = Country
ST = State
L = Location
O = Organization
OU = Organizational Unit
CN = Common Name
If the certificate request is correctly generated, a certificate request file will be created in the root of the system drive and the Exchange Management Shell will display a Thumbprint for the request.
2. Open http://DC.domain.com/certsrv, click "Request a certificate", click "Advanced certificate request". Click "Submit a certificate request by using a base-b4-encode..."
3. Locate C:\CertRequest.req, open it by using notepad. Copy the all content(including--BEGAIN...-- and --End---...) to the "Saved Request" field.
4. Under Certificate Template, click Web server. Click Submit.
5. Click Download certificate and save it to the root path of C drive:.
Step 2: Import and enable this new certificate
==================================================
1. Open Exchange management shell, type:
Import-exchangecertificate -path "c:\certnew.cer"
If the certificate is successfully imported, the Exchange Management Shell will display a Thumbprint for this new certificate.
2. To enable this certificate for exchange services, type:
Enable- exchangecertificate <Thumbprint> -services:"pop","IIS","SMTP","IMAP"
If you get the error "PricateKyeMissing", please refer following article:
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1188
- Marked As Answer by rwaldron Thursday, June 24, 2010 2:12 PM
-
Thursday, June 17, 2010 9:56 AM
Hiya Thomas and thx so much for replying to me..
As In my initial post my Domain Controller has Certificates Services but it is NOT started and it is set to manual.
so even after a reboot this services is set not to start..I'm wondering why this is set like this.
As I assumed, I feel this must be started for my DC to issue a new cert. ( The previous cert was issued by this DC)
Have you any idea why this service is set to manual and not started ?
If I start the service will it cause any issues with email ?
I am picking up from where another administrator had left off so am trying to be as carefull as possible.
Your instructions are great and I will take my time reading them..
So I should start the Service ?
Ray..
-
Thursday, June 17, 2010 10:29 AM
Hi,
Do you mean that the startup type of "Certificate services" is manual? If yes, you can change it to Automatic. This will not cause any issues.
Then run Certification Authority by clicking Start->All Programs->Administrative tools-> Certification Authority. If the Certification Authority server is starting, you will see a green √.
If the Certification Authority server is not working, you can reinstall it though control panel->Add or Remove programs->Add/remove windows components.
-
Thursday, June 17, 2010 4:55 PM
Hiya Thomas,
The certificate services is set to manual AND is NOT started..
Will there be any issues if I start it..? I think it should be running.
But I was wondering if previous administrator has deliberately stopped this service for some reason..?????
It was obviously running previously in order to issue the now outofdate cert..
I have checked all my certs now on exchange..just to clarify where I'm at.
I have 2 certs.
1 is self signed and issued by the exchange server.....for services UM,SMTP
1 ( the expired one ) is NOT self signed and was issued by DC.... for Services IMAP,POP,UM,IIS
Should I go down the road of re-creating DC issued cert as before per your instructions ?
I'm wondering why we don't just have 1 cert, either self signed or issued via DC for all the services.. IMAP,POP,UM,IIS,SMTP
Thx again for your help.
Ray..
-
Friday, June 18, 2010 1:13 AM
Hi,
I also have no idea why the Certificate services was stopped. Maybe the administrator want to save some system recourses like CPU usage and RAM. Generally the Private Certification Authority server is not used unless people want to request a new certificate. You can start this service, it will not cause any problems with your domain and email system.
For security consideration, people will use two certificates for the different services. This is normal. More information about Certificate used in exchange 2007, please read the following article:
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx#WhenCAWhenSelf
Since the original certificate has expired, you need to request a new one from the Certification Authority server for these services (IMAP,POP,UM,IIS).
-
Friday, June 18, 2010 8:34 AM
Brilliant,
Thanks so much for your help Thomas..
I will let you know how I get on..
Just one small sneaky further question :)
is it possible to use an exchange self-assigned cert on our outlook web access (OWA) and NOT have to pay for one from a 3rd party eg: thawte..
What I mean is will I always get an untrusted cert warning from our OWA site UNLESS I buy a 3rd party cert ?..Before our cert expired it always gave a warning saying it was untrusted....
Thx,
Ray..
-
Friday, June 18, 2010 9:41 AM
Hi Ray,
You are welcome.
If you use self-assigned certificate on OWA, people will get an un-trusted certificate warning until they install this certificate in their "Trusted Root Certification Authorities" store. User Trusting CA means that CA certificate held in user's Trusted CAs Store.
How to install the certificate in "Trusted Root Certification Authorities" store
=======================================================
1. Click Certificate error, then click View Certificates.
2. Click Install Certificate, click Next.
3. Select "Place all certificates in the following store", click Browse.
4. Select "Trusted Root Certification Authorities" then click Ok.
5. Restart IE.
After that, you can access OWA without getting un-trusted certificate warning.
How to check the existing Trusting CA
===========================
1. Click start button->run, type: MMC.
2. Click File->Add/Remove Snap-in. Click Add button.
3. Highlight Certificates and click Add.
4. Select "Computer account", then select "Local computer". Click Finish.
You will also find the public CAs like Thawte under "Trusted Root Certification Authorities\Certificates".
- Proposed As Answer by Jonas Andersson [MCITP]Microsoft Community Contributor Friday, June 18, 2010 11:36 AM
-
Friday, June 18, 2010 11:31 AM
Thank you so much for your help Thomas..
Ray..
-
Friday, June 18, 2010 11:55 AM
Hi Thomas,
I have noticed that our current expired cert covers multiple (6) domains
eg:
mymailserver
mymailserver.domain.somewhere.com
owa.somewhere.com
so is the syntax for new exchange cert for multiple domains similar to below, comma seperated ?
New-exchangecertificate -DomainName mymailserver,mymailserver.domain.somewhere.com,owa.somewhere.com - SubjectName etc etc etc
-
Monday, June 21, 2010 1:26 AM
Yes, you are correct.
-
Thursday, June 24, 2010 11:24 AM
Hiya Thoms,
I went through your procedure today !!
All went smoothly until the very last step. :(
I ran the New-exchangecertificate command and got a thumbprint returned eg: 123456789
I requested a new cert from DC and Imported the cert into exchange .
I then ran the cmdlet enable-exchangecertificate 123456789 -services:"IMAP","pop","UM","IIS"
I get th error "the certificate with thumbprint 123456789 was not found "
If I try import again I get the error that the cert with this Thumbprint already exists ?
If I list the certs I DONT see the cert with the thumbprint 123456789
I don't think this similar to the issue you mentioned regarding "PricateKyeMissing" ?
My error is that no thumbprint was found at all ?
Any ideas ?
Thx,
Ray..
-
Thursday, June 24, 2010 11:56 AM
Hiya Thomas,
I figured this one out but don't know why it was happening..you may also find this of interest..
When I imported the cert into exchange I got a thumbprint returned called eg:123456789
Then I get the thumbprint not found error when tring to enable services.
I checked the full list of certs and did find the cert I have just created but it has a DIFFERENT Thumprint to the one returned above ?
When I enable the services on this tumbprint all works !! Strange or what ?
Is it ok to delete certs that are no longer vaild..Should I export first and then delete.
Also, the question about the - non trusted website out on the web ?
When I install the cert to a trusted stored I STILL get the non trusted warning ?
Thanks for all your help
Ray..
.png){kind=spacer}
