none
Two Exchange 2007 servers, moving the self assigned exchange certificate to other server. RRS feed

  • Question

  • Afternoon all!

    im not a guru with Exchange so need some assistance, i have a secenario in which i have a client with two exchange servers on the same domain. One of them (server 1) is holding the self assigned exchange certificate that is due to expire, but i would like to get this working from the other server (server 2) .

    At the moment "server 1" is an old server i wish to eventually deconission, so with this i mind i would like to move the exchange self assigned certificate to "server 2" which im keeping.

    Both are Exchange 2007 (server 1 is Version 8.1 Build 240.6 and server 2 is Version 8.3 Build 83.6)

    Can i just export the certificate from Server 1 then import into server 2? then when the clients authenticate it will flag up with "server 2" on the security certificate?

    Any information would be grand.

    Wednesday, September 7, 2016 3:52 PM

Answers

All replies

  • Hi

    You can create a new certificate if self signed by your PKI environment as you mentioned the old one is expiring. What SAN names are on the cert?


    Microsoft PFE

    Wednesday, September 7, 2016 4:55 PM
  • Hi,

    As the certificate in server 1 is due to expire, I suggest you create a new cert request for exchange server.

    I recommend you use a trusted third party cert instead of self-signed cert.

    You can refer to the following link to request the cert:

    https://technet.microsoft.com/en-us/library/bb310781(v=exchg.80).aspx

    Then use Import-ExchangeCertificate and export-ExchangeCertificate to import or export the cert:

    https://technet.microsoft.com/en-us/library/bb310778(v=exchg.80).aspx

    https://technet.microsoft.com/en-us/library/bb124424(v=exchg.80).aspx

    Regards,



    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 8, 2016 2:20 AM
    Moderator
  • Afternoon,

    Thanks for the reply, i have run the Get-ExchangeCertificate |FL and cant see any information regarding the SAN's, on server 2 it only has a few certificates which hase been asssigned by itself (issuer = Server 2) specific services such as IMAP & POP & SMTP. The certificate on Server 1 currently holds all of the services IMAP, POP, IIS, SMTP, UM - (not required for server 2 does not have this installed and its not required) and has been assigned again by itself.

    Can i generate a new certificate on Server 2 and then assign the services to this, so when clients connect they connect via Server 1 and dont see any certificates from Server 2?

    At the moment i did ask about purchase of a 3rd party certificate but think they want a self assigned certificate for now and will look at that in the future.

    Regards

    Mike

    Thursday, September 8, 2016 12:53 PM
  • Thanks for the reply

    I have spoken to the client and they are looking at doing this in the future, for now they want it running on Self assigned. As stated above can i just run the new certificate CMD on server 2 which will then override the expiring certificate on server 1? they are both on the same domain and same subnet just need clients to authenticate with server 2 rather than server 1.

    Regards

    Mike

    Thursday, September 8, 2016 12:55 PM
  • Hi,

    I suggest you refer to the link below to create a self-signed cert:

    https://social.technet.microsoft.com/wiki/contents/articles/13916.how-to-use-a-self-signed-certificate-in-exchange-2010.aspx

    Then you can use the following command to assign the related services:

    Enable-ExchangeCertificate -Thumbprint <enter thumbprint here> -Services “SMTP, IIS”  

    Regards,



    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 9, 2016 2:02 AM
    Moderator
  • Hi,

    How about the issue? Are above replies helpful to you?

    If the issue is resolved, please mark some helpful replies as answers, that will encourage people to take time out to help you. 

    Thanks,


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 16, 2016 9:38 AM
    Moderator