Exchange 2007 Self-Signed Certificate Renewal Trust & Command syntax RRS feed

  • Question

  • We are running Exchange 2007 with a Self-Signed Certificate securing IMAP, POP, and SMTP.  We have a 3rd party CA for IIS

    Our Certs are set to expire on our CAS/Hub Server so I ran the following commands on each of my two CAS\HUBS:

    Get-ExchangeCertificate |FL

    Get-ExchangeCertificate -Thumbprint "Thumbpprint" | New-ExchangeCertificate

    Ran all my tests - OWA, Outlook, Citrix Outlook, Smartphones etc and all looked OK

    I did notice in IIS that the Cert indicated not trusted but things were working.

    I left the old cert in place

    This morning one user complained when they opened outlook that they got a cert error that it was not trusted.  Another Admin in our company informed me the previous admin, I have been here 6 months, dealt with this by exporting the Cert and importing it into AD.  Well found old cert in AD.  As the current cert is non-exportable a web search brought me to:  http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates.html

    So now going to redo the cert

    My question is on the actual syntax as I'm seeing it used slight differently from different posters.

    Is this correct as shown below: Not sure if PrivateKeyExportable is with :$True or as PrivateKeyExportable $true and if it is before or after the |

    Get-ExchangeCertificate |FL

    Get-ExchangeCertificate -Thumbprint Thumbprint | New-ExchangeCertificate PrivateKeyExportable:$true

    Get-ExchangeCertificate | fl Thumbprint.IsSelfSigned.Services

    $pwd = Read-Host "Enter password" -AsSecureString
    Enter Password: Corporate password

    Export-ExchangCerticate -Thumbprint NewThumbprint -enterpassword $pwd -Path c:\SelfSignedExport.pfx

    Then the rest is an Active Directory process per provided link.

    Friday, May 11, 2012 4:31 PM


  • Hello,

    The command should be OK. Since it is a internal self-signed certificate, you may directly re-created a new certificate and enable it on the services.



    Monday, May 14, 2012 2:27 AM

All replies

  • Also, when I run the command Get-ExchangeCertificate | fl Thumbprint.IsSelfSigned.Services no value is returned just a block of blank screen and the command prompt.

    Is this because my first set of commands did not make the certificate exportable and I also just noted I didn't enable the certificate.  When I run | fl it shows the certificate value True for self-signed

    Note:  Thumbprint in above command is as is I didn't enter the actual thumbprint.

    so back would this be the proper command sequence: 

    Get-ExchangeCertificate |FL

    Get-ExchangeCertificate -Thumbprint ThumbprintCode | New-ExchangeCertificate PrivateKeyExportable:$true (or is it -PrivateKeyExportable $true)

    Get-ExchangeCertificate | fl Thumbprint,IsSelfSigned,Services

    NOTE: I'm getting back a list of certs including the SSL 3rd party cert.  How do I get the next line to only assign password to cert I want to work with?

    $pwd = Read-Host "Enter password" -AsSecureString
    Enter Password: Corporate password

    Export-ExchangCerticate -Thumbprint ThumbprintCode -enterpassword $pwd -Path c:\SelfSignedExport.pfx

    Enable-exchangecertificate ThumbprintCode  (do I need to add anything for IMAP, POP, SMTP or will it realize it due to having another cert for IIS?)

    Friday, May 11, 2012 5:08 PM
  • I would do it exactly as shown here in Step 1:


    Otherwise, you can get a 3rd party (trusted everywhere) SAN cert here for $30 to $60:


    Apparently users never read email out of the office on a computer that is not a domain member?

    If not, and if you don't use or need EWS or OA, then I supposed that's your business. 

    Publishing the cert in AD will not resolve the problem externally, only internally (for domain members).                                                                                 

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, May 11, 2012 7:36 PM
  • The problem is in this tutorial it shows how to create a new certificate and we are renewing our old certificate.  I need to know if the process I document utilizing a renewal of the certificate is correct including how I'm using the syntax.

    As per our design policy we are going this route and it has worked for us for 3 years.  The previous admin didn't document how he did this so I need to make sure as I'm not an Exchange admin.
    Friday, May 11, 2012 8:38 PM
  • Any replies I need to implement tomorrow night?
    Sunday, May 13, 2012 3:10 PM
  • Whether you renew, or issue a new one practically it doesnt matter. Sure you will get a new thumbprint with the new cert which you will have to re-bind your services, imap, pop, smtp, iis to use. Now the main question is why are you using self signed certs? You will be shooting yourself in the foot when trying to self signed certs, just purchase the SAN certificate from a third party CA. If you go with using the self signed cert than yes you will have to publish it in AD using GPO so that it's published in all your domain user's computer\root ca store. Now this will only help with domain joined computers. I would really recommend you purchase the cert from a trusted CA.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Sunday, May 13, 2012 11:00 PM
  • James and LePivert - I understand this very well but we don't have any non-domain systems accessing our E-Mail.  Our IIS, OWA, and ActiveSync are already secured by a third party cert that was setup before I took over.  All I'm tasked with is renewing our internal cert.  So I please ask again someone please just verify the command lines I have listed.
    Monday, May 14, 2012 1:54 AM
  • Hello,

    The command should be OK. Since it is a internal self-signed certificate, you may directly re-created a new certificate and enable it on the services.



    Monday, May 14, 2012 2:27 AM