locked
Renew Exchange 2007 self signed SSL cert : Warning RRS feed

  • Question

  • Hi,

    We are getting an issue with the new SSL certificate being created. 

    WARNING: This certificate will not be used for external TLS connections with an

    FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint

    '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following

    connectors match that FQDN: Send to Internet. 

    Heres the code below:

    [PS] C:\Windows\System32>get-exchangecertificate | list

     

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                         .Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain

                         .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE

                         X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

    NotAfter           : 7/23/2014 1:46:15 PM

    NotBefore          : 7/23/2012 1:46:15 PM

    PublicKeySize      : 2048

    RootCAType         : Enterprise

    SerialNumber       : 52F90CEC000000000005

    Services           : IMAP, POP, IIS

    Status             : Valid

    Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                         ph

    Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                         ty.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.

                         [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

    NotAfter           : 7/23/2014 11:44:05 AM

    NotBefore          : 7/23/2012 11:44:05 AM

    PublicKeySize      : 2048

    RootCAType         : Enterprise

    SerialNumber       : 5289341C000000000003

    Services           : IMAP, POP, SMTP

    Status             : Valid

    Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                         ph

    Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB

     

     

     

    [PS] C:\Windows\System32>get-exchangecertificate 1B6705DB9755A75E94F5B05081AEDED

    3A0065D4A | New-ExchangeCertificate

     

    WARNING: This certificate will not be used for external TLS connections

    with an FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate

    with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes

    precedence. The following connectors match that FQDN: Default PPLOEX2K7.

    WARNING: This certificate will not be used for external TLS connections

    with an FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate

    with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes

    precedence. The following connectors match that FQDN: Send to Internet.

     

    Confirm

    Overwrite existing default SMTP certificate,

    '99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB' (expires 7/23/2014 11:44:05

    AM), with certificate 'F835E526BC8D3805E7AA230A17C5971872D3759C'

    (expires 7/22/2015 10:17:51 AM)?

    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help

    (default is "Y"):y

     

    Thumbprint                                Services   Subject

    ----------                                --------   -------

    F835E526BC8D3805E7AA230A17C5971872D3759C  .....      C=ph, S=NCR, L=Pasig, O...

     

     

    [PS] C:\Windows\System32>get-exchangecertificate | list

     

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce

                         ssControl.CryptoKeyAccessRule}

    CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain

                         .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE

                         X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}

    HasPrivateKey      : True

    IsSelfSigned       : True

    Issuer             : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c

                         om

    NotAfter           : 7/22/2015 10:17:51 AM

    NotBefore          : 7/22/2014 10:17:51 AM

    PublicKeySize      : 2048

    RootCAType         : None

    SerialNumber       : 6B5A6E27C63C36A54FDD3E07FF982497

    Services           : IMAP, POP, SMTP

    Status             : Valid

    Subject            : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c

                         om

    Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                         .Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain

                         .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE

                         X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

    NotAfter           : 7/23/2014 1:46:15 PM

    NotBefore          : 7/23/2012 1:46:15 PM

    PublicKeySize      : 2048

    RootCAType         : Enterprise

    SerialNumber       : 52F90CEC000000000005

    Services           : IMAP, POP, IIS

    Status             : Valid

    Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                         ph

    Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                         ty.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.

                         [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

    NotAfter           : 7/23/2014 11:44:05 AM

    NotBefore          : 7/23/2012 11:44:05 AM

    PublicKeySize      : 2048

    RootCAType         : Enterprise

    SerialNumber       : 5289341C000000000003

    Services           : IMAP, POP, SMTP

    Status             : Valid

    Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                         ph

    Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB

     

     

    Services: [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint F835E5

    26BC8D3805E7AA230A17C5971872D3759C -Service IIS, SMTP, IMAP, POP

     

    WARNING: This certificate will not be used for external TLS connections with an

    FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate with

    thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The

    following connectors match that FQDN: Default PPLOEX2K7.

    WARNING: This certificate will not be used for external TLS connections with an

    FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint

    '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following

    connectors match that FQDN: Send to Internet.

     

    [PS] C:\Windows\System32>


    • Edited by Jammizi Tuesday, July 22, 2014 3:18 AM
    Tuesday, July 22, 2014 3:14 AM

Answers

  • Hi Jammizi,

    I collect some information from the command results as below:

    1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
    •Certificate01
    Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
    IsSelfSigned       : False
    Services           : IMAP, POP, IIS
    •Certificate02
    Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
    IsSelfSigned       : False
    Services           : IMAP, POP, SMTP

    2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.

       Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).

    3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
    •Certificate03
    Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
    IsSelfSigned       : True
    Services           : IMAP, POP, SMTP
    •Certificate01
    Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
    IsSelfSigned       : False
    Services           : IMAP, POP, IIS
    •Certificate02
    Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
    IsSelfSigned       : False
    Services           : IMAP, POP, SMTP

    4. When run Enable Certificate03 command, got warning.

    According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.

     

    Thanks

    Mavis

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Mavis Huang
    TechNet Community Support

    Wednesday, July 23, 2014 3:20 AM
    Moderator

All replies

  • Hi Jammizi,

    I collect some information from the command results as below:

    1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
    •Certificate01
    Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
    IsSelfSigned       : False
    Services           : IMAP, POP, IIS
    •Certificate02
    Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
    IsSelfSigned       : False
    Services           : IMAP, POP, SMTP

    2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.

       Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).

    3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
    •Certificate03
    Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
    IsSelfSigned       : True
    Services           : IMAP, POP, SMTP
    •Certificate01
    Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
    IsSelfSigned       : False
    Services           : IMAP, POP, IIS
    •Certificate02
    Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
    IsSelfSigned       : False
    Services           : IMAP, POP, SMTP

    4. When run Enable Certificate03 command, got warning.

    According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.

     

    Thanks

    Mavis

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Mavis Huang
    TechNet Community Support

    Wednesday, July 23, 2014 3:20 AM
    Moderator
  • Hi Jammizi,

    I am just writing to see if you have obtained the opportunity to test the solution. If anything is unclear with the previous information I've provided to you, please don't hesitate to let me know. I am glad to be of assistance.

     

    Thanks

    Mavis


    Mavis Huang
    TechNet Community Support

    Monday, July 28, 2014 1:41 AM
    Moderator