locked
Exchange 2007 Self-Signed Certificate Removal: RRS feed

  • Question

  • Hi all.

    I've been pulling my hair out trying to get a self-signed certificate created that has the OWA address listed as an acceptable address.

    I created multiple different certificates over the last day or so and I've decided to get an SSL cert.

    How can I tell what certificates are in use and which I can delete?

    This all started when I tried to connect a Windows 7 phone that can't connect properly with Outlook.  It throws an error about the certificate.

    Any info would be appreciated.  Perhaps there is a command or tool I can use to see which of the many certificates I created are actually being used / accessed?

    Thanks!

    Thursday, September 22, 2011 7:23 PM

Answers

  • It should also be pointed out that the self signed certificates created by Exchange are not supported for use with ActiveSync.

    Why don't you just purchase a certificate? The required certificate type can be bought for US$60/year, and would cover OWA, POP, IMAP, SMTP, Outlook Anywhere and ActiveSync. Plus there will be nothing to install on the device each time the self signed certificate expires. Self signed certificates are a false economy for most people. I have instructions on my web site here:

    http://exchange.sembee.info/2007/install/multiplenamessl.asp

    Simon.

     


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by NScheidel Tuesday, September 27, 2011 5:17 PM
    Tuesday, September 27, 2011 12:41 PM

All replies

  • Hello,

    Get-ExchangeCertificate | fl

    Greetings,

    Toni

    Friday, September 23, 2011 6:40 AM
  • Thanks!  Four different certs show up. 

    How can I tell which one is in use?  Can they all be in use at the same time?

    There are 4 certificates in the local computer certificates/personal/certificates folder.  Are these the same ones?

    I imported at least 2 of these into the trusted root certification authorities folder so they are in both locations.

    Would there be any harm in removing these?

    Friday, September 23, 2011 12:09 PM
  • Hello,

    the certificates with a value in the point "Services" (like SMTP, POP, IMAP or IIS) are in use for this service.

    Greetings,

    Toni

    Saturday, September 24, 2011 7:07 AM
  • 2 have the services IMAP, POP and SMTP

    1 has just IMAP and POP

    1 has IMAP, POP, IIS and SMTP.

    The one that has all 4 is probably the one I made just recently.

    Under "CertificateDomains" it shows exchangeserverA.domain.local, webmail.domain.com, exchangeserverA.

    For users to access our webmail they need to type the address https://webmail.domain.com/owa and I'm trying to get rid of any certificate errors/warnings that show up. Does this sound like it should do the trick or am I missing something?

    Monday, September 26, 2011 11:17 AM
  • Hello,

     

    If it is a self-singed certificate, you need to install the root certificate and the enterprise certificate manually on the OWA clients. Or you will receive the certificate not trust warning.

     

    Thanks,

    Simon

    Tuesday, September 27, 2011 2:12 AM
  • It should also be pointed out that the self signed certificates created by Exchange are not supported for use with ActiveSync.

    Why don't you just purchase a certificate? The required certificate type can be bought for US$60/year, and would cover OWA, POP, IMAP, SMTP, Outlook Anywhere and ActiveSync. Plus there will be nothing to install on the device each time the self signed certificate expires. Self signed certificates are a false economy for most people. I have instructions on my web site here:

    http://exchange.sembee.info/2007/install/multiplenamessl.asp

    Simon.

     


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by NScheidel Tuesday, September 27, 2011 5:17 PM
    Tuesday, September 27, 2011 12:41 PM