locked
Self-signed and third party certificates on Exchange 2010 RRS feed

  • Question

  • Hi,

    We have Exchange Server 2010 running on Windows Server 2008R2. There are 2 self-signed certificates (I guess created during the installation. The installation was done by other people) expiring on 29/06/15. There is another certificate from GoDaddy expiring on 27/08/15 and we are going to renew this one. We use Exchange for reminders/calendar, email communication using outlook and OWA.

    My question is: do we still need 2 self-signed certificates if we are going to renew the certificate from GoDaddy? Or in other words, would everything work fine as before if I remove 2 self-sigend certificates after the date of expiry and renew the third part certificate?

    Thank you.


    • Edited by ArtakZ Wednesday, June 10, 2015 3:51 AM
    Wednesday, June 10, 2015 3:46 AM

Answers

  • Here is a screenshot of how I renewed my self signed certificate.

    There are the commands I used

    Get-ExchangeCertificate
    Get-ExchangeCertificate -thumbprint "D18B16C10075CDE2B09BA575AF0C5BCD3D08B391" | New-ExchangeCertificate
    Remove-ExchangeCertificate -Thumbprint D18B16C10075CDE2B09BA575AF0C5BCD3D08B391

    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.



    Thursday, June 11, 2015 6:25 AM
  • Hi,

    I agree with Mas, please check services enabled on your certificates.

    Based on my knowledge, we also need to assign the IMAP, POP, IIS, and SMTP services to the third party certificate.

    Please run the below command to assign the services to the third party certificate:

    Enable-ExchangeCertificate  -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXX'

    I have found some useful information on the below official article : https://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx?f=255&MSPPError=-2147217396

    "we recommend that you use self-signed certificates only for the following internal scenarios:SMTP sessions between Hub Transport servers: A certificate is used only for encryption of the SMTP session. Authentication is provided by the Kerberos protocol".

    So I suggest you can maintain the self-signed certificate in case of unexpected issues.

    Then we can refer  to the following  article to renew the expired certificate: https://technet.microsoft.com/en-us/library/ee332322%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    David

    Thursday, June 11, 2015 10:04 AM
    Moderator

All replies

  • Hi Artakz,
    please check services enabled on certificate by the below command.

    Get-ExchangeCertificate

    You will get something similar to the below

    Thumbprint                                                                Services                    Subject
    ----------                                                                    --------                       -------
    49D53353A1FBDE31C34604A8EF52FC9BABA187C8        IP.WS.                    CN=mail.domain.com,...... D18B16C10075CDE2B09BA575AF0C5BCD3D08B391       ....S.                       CN=EXCH

    If you can see only SMTP on self signed certificate (CN-EXCH) you can delete the expired certificate and enable SMTP services on valid certificate. If both self signed are expired please renew it using the below command. Keep only one self signed certificate.

    Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate

    Enable SMTP service using the below command
    Enable-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” -services SMTP

    You will get details using this command after renewing it.
    Get-ExchangeCertificate | ft Issuer,Services,Thumbprint,NotAfter

    Remove unwanted/expired certificates using the belwo command
    Remove-ExchangeCertificate -Thumbprint FD0FFA5B1F27E78550B0E44586



    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.



    • Edited by MAS- Wednesday, June 10, 2015 7:13 AM
    Wednesday, June 10, 2015 7:07 AM
  • Hi MAS,

    Thanks for your reply. The situation with certificates on my server is as follows

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    A0D1D02A7C19FF22B883845CF1F70671061F0780  ......     CN=192.168.x.x
    FAF9F39BEAF6B1C6669961590A3E704295335E11  ...W..     CN=192.168.x.x
    F42735E6D9CB2A3E3B43CC68EEBF8221DBE13DAD  IP.WS.     CN=mail.xxxxxx, OU=Domain Control Validated
    15D340CE2AC212CB1CD8915106EE38DC80E98387  ......     CN=192.168.x.x
    52B7151AA056D5AB60B13EF1AA2FF5B3E3605699  ......     CN=WMSvc-ExchangeServer
    AF52ED5C51FA4996A5C62EC83D46E8FAE37409C8  ....S.     CN=ExchangeServer
    18BEC1116F226378F2970D64760C265CC2BDD7FF  ....S.     CN=ExchangeServer

    2 self-signed ones expire on 29/06 (last 2 certificates). I am trying to understand, what is the reason for keeping one self-signed certificate (as you advise above) if we have a third party one? Is it for being "on the safe side" or for "in case"?

    If we need to keep one of those, can I renew it before the expiry?

    Are below steps correct to renew a self-signed certificate?

    Step 1. Run Get-ExchangeCertificate

    In my case I am getting

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    A0D1D02A7C19FF22B883845CF1F70671061F0780  ......     CN=192.168.x.x
    FAF9F39BEAF6B1C6669961590A3E704295335E11  ...W..     CN=192.168.x.x
    F42735E6D9CB2A3E3B43CC68EEBF8221DBE13DAD  IP.WS.     CN=mail.xxxxxx, OU=Domain Control Validated
    15D340CE2AC212CB1CD8915106EE38DC80E98387  ......     CN=192.168.x.x
    52B7151AA056D5AB60B13EF1AA2FF5B3E3605699  ......     CN=WMSvc-ExchangeServer
    AF52ED5C51FA4996A5C62EC83D46E8FAE37409C8  ....S.     CN=ExchangeServer
    18BEC1116F226378F2970D64760C265CC2BDD7FF  ....S.     CN=ExchangeServer

    2. If I want to keep the last one I should run the command with the last thumbprint

    Get-ExchangeCertificate -thumbprint 18BEC1116F226378F2970D64760C265CC2BDD7FF | New-ExchangeCertificate

    3. Enable the certificate for the same thumbprint 

    Enable-ExchangeCertificate -thumbprint 18BEC1116F226378F2970D64760C265CC2BDD7FF -services SMTP

    Thank you!

    Thursday, June 11, 2015 6:03 AM
  • Here is a screenshot of how I renewed my self signed certificate.

    There are the commands I used

    Get-ExchangeCertificate
    Get-ExchangeCertificate -thumbprint "D18B16C10075CDE2B09BA575AF0C5BCD3D08B391" | New-ExchangeCertificate
    Remove-ExchangeCertificate -Thumbprint D18B16C10075CDE2B09BA575AF0C5BCD3D08B391

    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.



    Thursday, June 11, 2015 6:25 AM
  • Hi,

    I agree with Mas, please check services enabled on your certificates.

    Based on my knowledge, we also need to assign the IMAP, POP, IIS, and SMTP services to the third party certificate.

    Please run the below command to assign the services to the third party certificate:

    Enable-ExchangeCertificate  -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXX'

    I have found some useful information on the below official article : https://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx?f=255&MSPPError=-2147217396

    "we recommend that you use self-signed certificates only for the following internal scenarios:SMTP sessions between Hub Transport servers: A certificate is used only for encryption of the SMTP session. Authentication is provided by the Kerberos protocol".

    So I suggest you can maintain the self-signed certificate in case of unexpected issues.

    Then we can refer  to the following  article to renew the expired certificate: https://technet.microsoft.com/en-us/library/ee332322%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    David

    Thursday, June 11, 2015 10:04 AM
    Moderator

  • Thanks for your replies MAS and David!

    One more question.

    The self signed cert is assigned to SMTP and CN=ExchangeServer. When I browse in the local network using ExchangeServer/owa everything works fine and I do not have cert errors. The ExchangeServer's IP is 192.168.x.x and when I connect to 192.168.x.x/owa I get

    There is a problem with this website’s security certificate.
    The security certificate presented by this website was issued for a different website's address.

    I also noticed that there is one more certificate on my server with CN=192.168.x.x with no services assigned to it.

    A question: can I assign the SMTP service to the free certificate so that users could connect to Exchange form the local network using either ExchangeServer/owa or 192.168.x.x/owa  and without certificate errors? If yes, would it make any additional issue?

    Note: all links begin with https : // (without spaces)


    Thank you.

    Friday, June 12, 2015 11:05 AM
  • No you cannot access OWA by internal FQDN or by IP without certificate warnings.
    Internal FQDN is not allowed to add in certificates now. In the near future all CAs will stop adding internal FQDN to the certificate.

    You can access only by names added in certificate. i.e. https://mail.externaldomain.com/owa without certificate warning.


    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Sunday, June 14, 2015 11:15 AM