none
ExchangeCertificate expired, how to create identical

    Question

  • Hi,
    Our Exchange 2007 Certificate Expired, so I created the new one. But only then I found out that I had to use command:

    "Get_ExchangeCertificate - thumbnail <old> | New-ExchangeCertificate"

    So now my new certificate is different in some parameters:
    Old Certificate had these parameters:
    • IsSelfSigned       False;
    • RootCAType         : Enterprise
    • Issuer              : CN=MyCompnay Region Issuing CA, DC=root, DC=int
    • Subject            : CN=as.mycompany.com, O=MyCompany Region, C=com
    New Certificate has these parameters:
    • IsSelfSigned       : True
    • RootCAType         : Registry
    • Issuer              : CN=MyCompany Region Root CA, DC=root, DC=int
    • Subject            : CN=MyCompany Region Root CA, DC=root, DC=int
    And I remember, that old certificate was the child in some kind of certificate hierarchy:

    - MyCompnay Region Issuing CA
           - MyCompany Region Root CA
                              - as.mycompany.com

    The parent certificates exist on the internal Windows domain controllers. But I do not know how to put the new certificate into this hierarchy.
    "root.int" is the name of the internal Windows domain.


    Everything else between the certificates looks the same.


    The problem is I can't find out how to create the new certificate, so it would had the same parameters as the old. Unluckily I've already deleted the old certificate and have only copied the configuration of it. And I do not know if it was created or bought from a third company.

    Maybe I should never mind these differences, but the OOF and "Outlook anywhere" are not working. Still can't figure out why.


    Monday, August 10, 2009 2:27 PM

Answers

  • Well, I replced certificate with the new one, installed it on client computer and everyhing is working. Though command Test-autodiscover still gives the same error.
    • Marked as answer by TTadz Thursday, August 13, 2009 5:40 AM
    Thursday, August 13, 2009 5:40 AM

All replies

  • I hope below may help you

    http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
    Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
    Monday, August 10, 2009 3:15 PM
  • Thanx, but I've read this several times already, but haven't found the information I need...
    Monday, August 10, 2009 3:31 PM
  • I found the old certificate ("filename.cer"), installed on one of computers. Imported it to Exchange, but can't enable it, because "PrivateKeyMissing".
    Any ideas how I could make a copy of it?

    Monday, August 10, 2009 4:55 PM
  • A cert from the client computer would not work. If you wish to get the old cert back, you can visit the certificate container (mmc->certificates->computer account->personal and note the thumbprint of the certificate you wish to enable (if you've not manually deleted it from there).
    You could run Get-Exchangecertificate -Thumbprint ###### |New-Exchangecertificate to renew this one.

    Hope this helps
    - Satish
    na
    Tuesday, August 11, 2009 12:53 AM
  • Well, I deleted the old certificate from Certificate Container.
    Though I found it exported on server, maybe the day it was firstly created, but I can't import it because I do not know the password.

    Tried lots of things, the main problem is that Autodiscovery doesn't work:
    When contacting https://ltdcmnlb.root.int/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.

    I think that is why OOF and Outlook form outside doesn't work.
    But I don't get it why Autodiscovery can't be authorized.
    Tuesday, August 11, 2009 5:52 AM
  • http 401 is not related to a certificate issue. It could be a misconfigured authentication on the autodiscover virtual directory.
    Is autodiscover configured for integrated authentication? Disable kernel mode authentication  if this is IIS 7.
    na
    Wednesday, August 12, 2009 1:21 AM
  • Thanx, for narrowing the scope, though my Autodiscover in IIS is already  configured for Windows integrated authentication. And it is not IIS 7, it's Windows 2003 servers.
    Maybe some other directories of the IIS needs to have special authentications set? Though OWA is working well.
    Wednesday, August 12, 2009 6:06 AM
  • do you have a proxy server configured for the clients?
    Also, look for security failure event 538/539. It could mean loopbackcheck security causing a problem
    na
    Wednesday, August 12, 2009 7:37 PM
  • Well, I replced certificate with the new one, installed it on client computer and everyhing is working. Though command Test-autodiscover still gives the same error.
    • Marked as answer by TTadz Thursday, August 13, 2009 5:40 AM
    Thursday, August 13, 2009 5:40 AM
  • WOW TTadz!  Same exact issue as I am having.  I spoke with an Exchange Expert (friend) last night, and was instructed that if your certificate IsSelfSigning=FALSE, that means it was not created on your Exchange Server.  Most likely it was created where ever your CA resides.  My Certificate Authority Service resides on my DC.  As far as the RootCAType, I am not sure.  Mine is Enterprise.  Just know that if you do this on your CA, you might want to backup your CA (all certificates) before you make changes.  That way if you mess it up you can restore it.  You simply right click in the Certificate Authority on the Domain and then you can back it up.  Also, creating certificates from this panel in the CA will cause the CA to pause or stop temporarily, so you will want to do this during non-production hours.

    I am going to try to implement my new certificate this weekend.  I will report back and let you know how it goes.

    Friday, February 17, 2012 8:26 PM