locked
Help renewing a self signed cert on 2007(walked into this setup and confused) RRS feed

  • Question

  • I walked into a setup due to an employee being let go at a client, and am very confused as to how their cert is/was set up.  Essentially they have 2 exchange servers.  1 is at their main office, and the other is at a remote office, and the remote server is the one I am having the issue with.

    Self signed certs are used at both sites/exchange servers.  I received a call from a user at the remote site who said that every time they open outlook, they get the popup that the certificate is invalid.  They are still able to proceed as normal after clicking ok, but I would like to get this resolved.  

    I opened up their exchange setup on the remote server, and found the following certificates....all are expired.

    I have replaced the actual domain name and server name with generics.  Where "mainexchangeserver" is used means the servername for the exchange server at the main office is referenced.



    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {server.domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=AAA, DC=domainname, DC=com
    NotAfter           : 6/30/2013 2:19:09 PM
    NotBefore          : 6/29/2013 11:33:38 PM
    PublicKeySize      : 1024
    RootCAType         : Enterprise
    SerialNumber       : 546184290000000000E2
    Services           : IMAP, POP
    Status             : DateInvalid
    Subject            : CN=server.domainname.com
    Thumbprint         : 9621CF6B276CA85389050D4ABF1D5BD004EED0B7

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {server, servername.domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=server
    NotAfter           : 6/20/2012 2:58:35 PM
    NotBefore          : 6/20/2011 2:58:35 PM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 1DCD54DD165A378542AF926199F0F25B
    Services           : IMAP, POP, SMTP
    Status             : Invalid
    Subject            : CN=server
    Thumbprint         : BDAD3027C4D55FF7AFE4AF0B0BBB27A945B08009

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {remote.domainname.com, mainexchangeserver, mainexchangeserver.domainname.c
                         om, autodiscover.domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=remote.domainname.com
    NotAfter           : 10/18/2011 1:49:42 PM
    NotBefore          : 10/18/2010 1:49:42 PM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : F2975DE57A7DC9824B8FE3A4E2639D07
    Services           : None
    Status             : Invalid
    Subject            : CN=remote.domainname.com
    Thumbprint         : 986E9B20ECECD6B150072ADEEA443AABECFAFAE9


    The certificate that is popping up for users is the very first one.  Oddly, it appears it was only valid for 1 day at the end of June.  I have no idea how or when this happened.  The odd thing is, it is showing as not self signed, so I am guessing it was obtained form somewhere?  Though if it was, it is the strangest cert I have ever seen.  I do have experience with exchange certs, but only in Exchange 2010 using enterprise certs like Godaddy, and has never been an issue.

    My question here is, what is the best way to proceed forward without causing some sort of issue where users of that server are completely unable to connect to the server.  Despite IIS not being attached to any of those certs, users can log into owa just fine on that server.

    Should I be deleting out ALL of the certs, and then creating a new self signed cert and assigning all the services to it?  Will this cause a problem for outlook profiles and cell phones that connect?

    Thank you in advance for any advice / direction you can provide.


    Wednesday, July 17, 2013 1:05 AM

Answers

  • Hello,

    After you correctly renew a self-signed certificate and assigned it services, it still doesn’t work. It may be the reason that the new certificate is not put into effect and changes do not sync to your IIS.

    Could you possibly post the result of Get-ExchangeCertificate | FL after renewing? And I’d like to help you to check it.

    If it is the synchronization problem, you can try to restart IIS service by running iisreset /noforce from a command prompt window.

    Hope it can help you.

    Best regards

    Friday, July 19, 2013 9:08 AM

All replies

  • All you need to do to renew a self-signed certificate is run New-ExchangeCertificate, and then you use Enable-ExchangeCertificate to apply it to services.

    Here's an article that looks right:  http://www.msexchangegeek.com/2009/04/24/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/

    Since you asked the best way of proceeding, that would be to get a third-party certificate from someone like Go Daddy.

    And I do recommend removing expired certificates because I like things to be clean, but in my experience you don't have to.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    • Edited by Ed CrowleyMVP Wednesday, July 17, 2013 2:14 AM Addition
    Wednesday, July 17, 2013 2:13 AM
  • Thank you so much for your help.  Now here is an odd issue I ran into.  I created a new cert, assigned it services, and deleted out the old expired cert.  The odd thing is, the expired cert is still showing up when I connect to OWA and through outlook.  I tried rebooting the server, but I am still experiencing the issue.  Is there anything else I need to do?


    Wednesday, July 17, 2013 11:23 PM
  • How do you know that the old certificate is showing up?

    Have you verified that the old certificate is gone?

    Get-ExchangeCertificate
    Get-ExchangeCertificate | FL


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, July 19, 2013 6:03 AM
  • Hello,

    After you correctly renew a self-signed certificate and assigned it services, it still doesn’t work. It may be the reason that the new certificate is not put into effect and changes do not sync to your IIS.

    Could you possibly post the result of Get-ExchangeCertificate | FL after renewing? And I’d like to help you to check it.

    If it is the synchronization problem, you can try to restart IIS service by running iisreset /noforce from a command prompt window.

    Hope it can help you.

    Best regards

    Friday, July 19, 2013 9:08 AM