none
renew root certificate RRS feed

  • Question

  • Hi all, 

    My self-signed root cert is expiring. I would like to ask if I renew this certificate at my CA server, will it affect my Exchange 2007 , especially mail flow? If so, how do I renew it without affecting? 

    I am most likely be renewing it without generating the new key. 


    Appreciate for any suggestions
    Thursday, April 24, 2014 6:46 AM

Answers

All replies

  • In my experience, I've found that adding a new CA cert, then adding it to your trusted cert store and replacing your existing Exchange certs works better than attempting to renew the existing cert.  You leave the current root cert in your trusted certs until you've replaced the Exchange certs that come from the new cert.  The key isn't the stopping point - it's the thumbprint.  Your new cert will definitely have a new thumbprint, regardless of the private key.

    However, for full details of what you need to do to renew your root cert, check the following Microsoft TechNet articles: 

    Thursday, April 24, 2014 3:51 PM
  • Thanks Willard for replying. I would like to do that but it is the sheer number of PCs and notebooks I would need to upgrade ( >2k ) and I am the only one. So far, touchwood, the cert is not compromised so I was trying to think of a way to minimise the disruption. Also some of my users are frequent travellers. Getting them to hand over their system is like taking their limbs away.
    Friday, April 25, 2014 1:09 AM
  • Regardless of how you replace your root cert, you are going to need to replace all certificates that it generated.  So your issue is a CA issue, not an Exchange issue.  Leaving the original root certificate available and creating a new one allows you to phase this over time.

    You may wish to move this thread to the Windows Security forum, http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity, for better guidance.

    Friday, April 25, 2014 11:56 AM
  • Hi,

    Based on my experience, a new self-signed certificate should be trusted by all clients. Thus, there will be security alert when clients try to use the new certificate. To deploy the certificate for all clients, we can depend on group policy:
    http://unixwiz.net/techtips/deploy-webcert-gp.html
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
    However, I recommend you confirm it on our Windows server forum as the above suggestion.

    To renew a self-signed certificate, you can refer to the following article:
    http://www.ncol.net/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    If you have any question, please feel free to let me know.
    Thanks,


    Angela Shi
    TechNet Community Support

    Monday, April 28, 2014 7:56 AM
    Moderator
  • Hi,

    Based on my experience, a new self-signed certificate should be trusted by all clients. Thus, there will be security alert when clients try to use the new certificate. To deploy the certificate for all clients, we can depend on group policy:
    http://unixwiz.net/techtips/deploy-webcert-gp.html
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
    However, I recommend you confirm it on our Windows server forum as the above suggestion.

    To renew a self-signed certificate, you can refer to the following article:
    http://www.ncol.net/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    If you have any question, please feel free to let me know.
    Thanks,


    Angela Shi
    TechNet Community Support

    Thank you Angela for the reply, I have renewed my Exchange certificate. It is the root certificate that I need to do. If I were to renew the existing root cert, extending the expiry date, will all my clients connecting to the CA be automatically be updated or I need to create a cert and install every PC connecting on my office lan?

    Thanks again for the reply. Please do not stop the other suggestions from coming. I am grateful for all helpful advice I could get.

    Monday, April 28, 2014 9:42 AM