Remove From My Forums

Renew Exchange 2007 self signed SSL cert : Warning

Question
0

Sign in to vote
Hi,

We are getting an issue with the new SSL certificate being created.
WARNING: This certificate will not be used for external TLS connections with an

FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint

'1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following

connectors match that FQDN: Send to Internet.
Heres the code below:

[PS] C:\Windows\System32>get-exchangecertificate | list

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain

                     .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE

                     X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}

HasPrivateKey      : True

IsSelfSigned       : False

Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

NotAfter           : 7/23/2014 1:46:15 PM

NotBefore          : 7/23/2012 1:46:15 PM

PublicKeySize      : 2048

RootCAType         : Enterprise

SerialNumber       : 52F90CEC000000000005

Services           : IMAP, POP, IIS

Status             : Valid

Subject           : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                     ph

Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                     ty.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.

                     [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}

HasPrivateKey      : True

IsSelfSigned       : False

Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

NotAfter           : 7/23/2014 11:44:05 AM

NotBefore          : 7/23/2012 11:44:05 AM

PublicKeySize      : 2048

RootCAType         : Enterprise

SerialNumber       : 5289341C000000000003

Services           : IMAP, POP, SMTP

Status             : Valid

Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                     ph

Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB

[PS] C:\Windows\System32>get-exchangecertificate 1B6705DB9755A75E94F5B05081AEDED

3A0065D4A | New-ExchangeCertificate

WARNING: This certificate will not be used for external TLS connections

with an FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate

with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes

precedence. The following connectors match that FQDN: Default PPLOEX2K7.

WARNING: This certificate will not be used for external TLS connections

with an FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate

with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes

precedence. The following connectors match that FQDN: Send to Internet.

Confirm

Overwrite existing default SMTP certificate,

'99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB' (expires 7/23/2014 11:44:05

AM), with certificate 'F835E526BC8D3805E7AA230A17C5971872D3759C'

(expires 7/22/2015 10:17:51 AM)?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help

(default is "Y"):y

Thumbprint                                Services   Subject

----------                                --------   -------

F835E526BC8D3805E7AA230A17C5971872D3759C .....      C=ph, S=NCR, L=Pasig, O...

[PS] C:\Windows\System32>get-exchangecertificate | list

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce

                     ssControl.CryptoKeyAccessRule}

CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain

                     .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE

                     X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}

HasPrivateKey      : True

IsSelfSigned       : True

Issuer             : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c

                     om

NotAfter           : 7/22/2015 10:17:51 AM

NotBefore          : 7/22/2014 10:17:51 AM

PublicKeySize      : 2048

RootCAType         : None

SerialNumber       : 6B5A6E27C63C36A54FDD3E07FF982497

Services           : IMAP, POP, SMTP

Status             : Valid

Subject            : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c

                     om

Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain

                     .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE

                     X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}

HasPrivateKey      : True

IsSelfSigned       : False

Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

NotAfter           : 7/23/2014 1:46:15 PM

NotBefore          : 7/23/2012 1:46:15 PM

PublicKeySize      : 2048

RootCAType         : Enterprise

SerialNumber       : 52F90CEC000000000005

Services           : IMAP, POP, IIS

Status             : Valid

Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                     ph

Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                     ty.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.

                     [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}

HasPrivateKey      : True

IsSelfSigned       : False

Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph

NotAfter           : 7/23/2014 11:44:05 AM

NotBefore          : 7/23/2012 11:44:05 AM

PublicKeySize      : 2048

RootCAType         : Enterprise

SerialNumber       : 5289341C000000000003

Services           : IMAP, POP, SMTP

Status             : Valid

Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=

                     ph

Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB

Services: [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint F835E5

26BC8D3805E7AA230A17C5971872D3759C -Service IIS, SMTP, IMAP, POP

WARNING: This certificate will not be used for external TLS connections with an

FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate with

thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The

following connectors match that FQDN: Default PPLOEX2K7.

WARNING: This certificate will not be used for external TLS connections with an

FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint

'1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following

connectors match that FQDN: Send to Internet.

[PS] C:\Windows\System32>
- Edited by Jammizi Tuesday, July 22, 2014 3:18 AM
Tuesday, July 22, 2014 3:14 AM

Answers

0

Sign in to vote
Hi Jammizi,

I collect some information from the command results as below:

1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
•Certificate01
Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned       : False
Services           : IMAP, POP, IIS
•Certificate02
Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned       : False
Services           : IMAP, POP, SMTP

2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.

   Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).

3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
•Certificate03
Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
IsSelfSigned       : True
Services           : IMAP, POP, SMTP
•Certificate01
Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned       : False
Services           : IMAP, POP, IIS
•Certificate02
Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned       : False
Services           : IMAP, POP, SMTP

4. When run Enable Certificate03 command, got warning.

According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.

Thanks

Mavis

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Mavis Huang
TechNet Community Support
- Marked as answer by Mavis_HuangModerator Monday, August 4, 2014 10:00 AM
Wednesday, July 23, 2014 3:20 AM

Moderator

All replies

0

Sign in to vote
Hi Jammizi,

I collect some information from the command results as below:

1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
•Certificate01
Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned       : False
Services           : IMAP, POP, IIS
•Certificate02
Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned       : False
Services           : IMAP, POP, SMTP

2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.

   Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).

3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
•Certificate03
Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
IsSelfSigned       : True
Services           : IMAP, POP, SMTP
•Certificate01
Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
IsSelfSigned       : False
Services           : IMAP, POP, IIS
•Certificate02
Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
IsSelfSigned       : False
Services           : IMAP, POP, SMTP

4. When run Enable Certificate03 command, got warning.

According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.

Thanks

Mavis

If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Mavis Huang
TechNet Community Support
- Marked as answer by Mavis_HuangModerator Monday, August 4, 2014 10:00 AM
Wednesday, July 23, 2014 3:20 AM

Moderator
0

Sign in to vote

Hi Jammizi,

I am just writing to see if you have obtained the opportunity to test the solution. If anything is unclear with the previous information I've provided to you, please don't hesitate to let me know. I am glad to be of assistance.

Thanks

Mavis

Mavis Huang
TechNet Community Support

Monday, July 28, 2014 1:41 AM

Moderator

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Renew Exchange 2007 self signed SSL cert : Warning

Question

Answers

All replies