none
When / How to remove the self signed certificate

    Question

  • Hello

     

    By default the self signed SSL Certificate is installed. I bought a public cert from godaddy. Is it OK to remove the old certificate? I think to. Do I have to assign all services (self signed holds IMAP, POP, SMTP) to the new certificate? I've no plan to use these with a certificate, just need ssl for the OWA.


    Thanks for your help

    Norbert

    Wednesday, November 05, 2008 2:41 PM

Answers

  • Yes Norbert, CAS doesn’t communicate on SMTP service so you can skip certificate assignment on it.

     

    IMAP & POP3 are not in use then you can leave self-signed certificate on it or can assign new certificate but if you remove all certificates then I have doubt that it gives warning/error in event log.

     

    For usage of certificate in CAS like Autodiscover & Client Access Application, you can refer below article for detail and procedure.

    Certificate Use in Exchange Server 2007

    http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

    Thursday, November 06, 2008 9:28 AM

All replies

  • Hi Norbert,

     

    It would be better to assign SAN certificate for all features (services) of Exchange since self-signed is not secure as third party. Self-signed certificate you need to renew every year whenever it expires.

     

    Once you install/enable SAN certificate then you can run below command to remove old self-signed certificate.

     

    Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    References:

    Remove-ExchangeCertificate

    http://technet.microsoft.com/en-us/library/aa997569(EXCHG.80).aspx

    Certificate Use in Exchange Server 2007

    http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

    How to Configure Outlook Web Access Virtual Directories to Use SSL

    http://technet.microsoft.com/en-us/library/bb123583(EXCHG.80).aspx

    Wednesday, November 05, 2008 3:20 PM
  • Hi Amit

     

    Well, i use a SAN Certificate from godaddy. Until now, i only assigned the IIS Service to the new certificate. Because the internal has the services I was asking, if it is ok to remove the old (self signed) without assign the services to an other ssl certificate. IMAP and POP are not used. I'm not shure if SMTP need the cert...

     

    Thanks
    Norbert

    Wednesday, November 05, 2008 4:52 PM
  • Yes Norbert, CAS doesn’t communicate on SMTP service so you can skip certificate assignment on it.

     

    IMAP & POP3 are not in use then you can leave self-signed certificate on it or can assign new certificate but if you remove all certificates then I have doubt that it gives warning/error in event log.

     

    For usage of certificate in CAS like Autodiscover & Client Access Application, you can refer below article for detail and procedure.

    Certificate Use in Exchange Server 2007

    http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

    Thursday, November 06, 2008 9:28 AM
  • Hello Amit


    If I leave the self signed certificate for SMTP, IMAP and POP there will be a "problem" (warnings in the event log) in 1 year - or I've to renew the self signed certificate... Will it be OK to assign a bought thawte Wildcard certificate for all services?

     

    Thanks

    Norbert

    Thursday, November 06, 2008 5:04 PM
  • Hi Norbert,

     

    You will get warnings in event log when it is going to expire.

     

    SAN is better compare to wildcard certificate, check below blog entry from Jim...

    http://mostlyexchange.blogspot.com/2008/09/exchange-server-2007-and-wild-card.html

    Thursday, November 06, 2008 5:31 PM
  • Hello


    Ok, thanks for the input. I found a wildcard cert which can also include Alternative Names. The Issue should not come with WM 5 and OAnyhwere. Hopefully ;-)

     

    Norbert
    Thursday, November 06, 2008 8:22 PM
  • Hi Norbert,


    You can enable SMTP to the certificate that is just assigned.

    Use the below command.
    Get-ExchangeCertificate –DomainName “webmailurl” | Enable-ExchangeCertificate –Services IIS,SMTP

    Regards,
    Ashwin

    Sunday, December 09, 2012 2:06 AM