locked
How do I Renew a Self-Signed SAN Certificate for More Than One Year RRS feed

  • Question

  • I have Exchange 2007 SP1 Rollup Pack 7 (Version: 08.01.0359.002) on a physical Server 2003 Standard x64 SP2 system.  I want to renew a self-signed SAN certificate that is assigned to the IIS default web site on the Exchange box for at least 3 or 4 years.

    If I go into the Properties of the Default Web Site and click on Directory Security and then on Server Certificate, I can start the renewal wizard.  When I complete that, I end up with a certificate that has a validity period of only 2 years, rather than the 3-4 years I was hoping for.  Also, the Subject Alternative Name (SAN) data, which is visible in the existing certificate, is dropped from the renewed certificate.

    The IIS wizard uses a certificate template when renewing the certificate. The validity period and the SAN data for the template can be modified by users with sufficient permissions.  My account is a member of the Enterprise Admins group, and even if that group is given Full Control of the Web Server certificate template, I do not end up with sufficient permissions to modify the template properties to properties of the certificate template.

    If I use the following command in the Exchange Management Shell, I end up with a certificate that retains the SAN data, but is valid for only one year.

    Get-ExchangeCertificate –Thumbprint <alphanumericthumbprint> | New-ExchangeCertificate

    I was hoping to use SELFSSL from the IIS resource kit to resolve these issues. It solves the validity period issue, but it does not solve the SAN problem.

    What do I need to do renew my self-signed SAN certificate so that the renewed certificate will not expire for at least 3 years?

     

    Friday, April 9, 2010 11:01 PM

Answers

  • Starting with Exchange 2007 SP2, the self-signed certificate is valid for 5 years: ( use Exchange Powershell)

    http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx

     Understanding the Self-Signed Certificate in Exchange 2007

     

     

     

     

    • Proposed as answer by Xiu Zhang Wednesday, April 14, 2010 7:53 AM
    • Marked as answer by Allen Song Friday, April 16, 2010 10:09 AM
    Sunday, April 11, 2010 3:38 PM
  • Hi,

    Before Exchange server 2007 sp2, self-signed certificate will not be expired in one year.

    If we have SP2 patched, the the self-signed certificate can used for 5 years. We can use Get-ExchangeCertificate –Thumbprint <alphanumericthumbprint> | New-ExchangeCertificate to renew the certificate.

    Regards,

    Xiu

    • Proposed as answer by Xiu Zhang Wednesday, April 14, 2010 7:53 AM
    • Marked as answer by Allen Song Friday, April 16, 2010 10:09 AM
    Wednesday, April 14, 2010 7:52 AM

All replies

  • Starting with Exchange 2007 SP2, the self-signed certificate is valid for 5 years: ( use Exchange Powershell)

    http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx

     Understanding the Self-Signed Certificate in Exchange 2007

     

     

     

     

    • Proposed as answer by Xiu Zhang Wednesday, April 14, 2010 7:53 AM
    • Marked as answer by Allen Song Friday, April 16, 2010 10:09 AM
    Sunday, April 11, 2010 3:38 PM
  • So the ONLY way to reach my objective is to install Exchange 2007 SP2, and use the Exchange Powershell to renew the certificate?  If so, would the syntax for the Powershell command still be as follows?

    Get-ExchangeCertificate –Thumbprint <alphanumericthumbprint> | New-ExchangeCertificate

    My organisation has not tested SP2, and is apprehensive about deploying it without testing, so if there are other methods of achieving what I need to achieve, please elaborate on them.

    Monday, April 12, 2010 2:46 PM
  • Hi,

    Before Exchange server 2007 sp2, self-signed certificate will not be expired in one year.

    If we have SP2 patched, the the self-signed certificate can used for 5 years. We can use Get-ExchangeCertificate –Thumbprint <alphanumericthumbprint> | New-ExchangeCertificate to renew the certificate.

    Regards,

    Xiu

    • Proposed as answer by Xiu Zhang Wednesday, April 14, 2010 7:53 AM
    • Marked as answer by Allen Song Friday, April 16, 2010 10:09 AM
    Wednesday, April 14, 2010 7:52 AM
  • Follow the step by step process outlined here:

    Renew Exchange Expired Certificate

    I hope it helps someone

    • Proposed as answer by A. TheOne Tuesday, June 19, 2012 1:32 PM
    Tuesday, June 19, 2012 1:32 PM