Announcement

Collapse
No announcement yet.

Exchange Certificates - Doubts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange Certificates - Doubts

    Hi All,

    I'm a little mixed up with a few things that have just popped up and was wondering if anyone could help me out....

    Ive just started working with a new client - Just verified that there are a whole bunch of certificates that are about to expire, the scenario includes Exchange and ISA 2006. I'm new to all this!

    1) Warnings are popping up on my Edge server, mentioning that the Edge server's certificate and the MX record Certificate are about to expire below:



    Event Type: Warning
    Event Source: MSExchangeTransport
    Event Category: TransportService
    Event ID: 12018
    Date: 3/22/2010
    Time: 8:51:16 AM
    User: N/A
    Computer: EdgeServer
    Description:
    The STARTTLS certificate will expire soon: subject: amop.smtp.domain.com, hours remaining: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. Run the New-ExchangeCertificate cmdlet to create a new certificate.



    Event Type: Warning
    Event Source: MSExchangeTransport
    Event Category: TransportService
    Event ID: 12018
    Date: 3/22/2010
    Time: 8:48:07 AM
    User: N/A
    Computer: EdgeServer
    Description:
    The STARTTLS certificate will expire soon: subject: edgeserver.domain.internal, hours remaining: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. Run the New-ExchangeCertificate cmdlet to create a new certificate.



    Event Type: Warning
    Event Source: MSExchangeTransport
    Event Category: TransportService
    Event ID: 12018
    Date: 3/22/2010
    Time: 8:36:11 AM
    User: N/A
    Computer: EdgeServer
    Description:
    The STARTTLS certificate will expire soon: subject: amop.domain.com, hours remaining: XXXXXXXXXXXXXXXXXXXXXXXXXXX. Run the New-ExchangeCertificate cmdlet to create a new certificate.

    Is this something can just renew on the CA server, and then apply it on the Edge Server?



    2) On my Exchange Server, I did look up to verify the expiry dates of the certificates and realized that they about to expire very soon as well:

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {smtp.domain.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=servername, DC=domain, DC=internal
    NotAfter : 5/14/2010 2:29:49 AM
    NotBefore : 5/14/2008 2:29:49 AM
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : XXXXXXXXXXXXXXXXXXXXX
    Services : SMTP
    Status : Valid
    Subject : CN=smtp.domain.com, OU=x Group, O=x Group,
    L=space, S=xx, C=SA
    Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
    .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {imap.domain.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=Server, DC=domain, DC=internal
    NotAfter : 5/13/2010 9:02:49 AM
    NotBefore : 5/13/2008 9:02:49 AM
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : XXXXXXXXXXXXXXXXXXXXX
    Services : IMAP
    Status : Valid
    Subject : CN=imap.domain.com, OU=x Group, O=x Group,
    L=space, S=xx, C=SA
    Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
    .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {pop3.domain.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=servername, DC=domain, DC=internal
    NotAfter : 5/13/2010 9:00:26 AM
    NotBefore : 5/13/2008 9:00:26 AM
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : 7FFBA0F3000000000031
    Services : POP
    Status : Valid
    Subject : CN=pop3.domain.com, OU=x Group, O=x Group,
    L=space, S=xx, C=SA
    Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mailserver.domain.internal, mailserver, mail.domain.com
    , rpc.domain.com, autodiscover.domain.com, exch
    ange.domain.com, smtp.domain.com, imap.domain.com, pop3.domain.com,

    autodiscover.x.com, autodiscover.e.com, autodiscover.z.com, autodiscover.a.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=servername, DC=domain, DC=internal
    NotAfter : 5/12/2010 7:47:17 AM
    NotBefore : 5/12/2008 7:47:17 AM
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : XXXXXXXXXXXXXXXXXXXXX
    Services : IMAP, POP, UM, IIS, SMTP
    Status : Valid
    Subject : CN=mailserver.domain.internal, OU=x Group, O=x Group,
    L=space, S=xx, C=SA
    Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX


    Im really confused with this because I see there is a certificate for POP3, SMTP, IMAP and then a forth certificate that includes the 3 protocols plus UM/IIS auto discovery the OWA etc...

    • Will I need to renew each one, or can I just run everything with one certificate?
    • Once the renewal is done and applied to the IIS for OWA, UM, Outlook Any where and Active Sync. Do i just apply the same certificate to the ISA?


    Any advise would be great,
    Thanks in advance!!
    Last edited by marrkechly; 23rd March 2010, 12:52.

  • #2
    Re: Exchange Certificates - Doubts

    You don't need all of those certificates.
    A single SAN/UC certificate is all that is required for the internal systems.
    You can then put a single name certificate on the Edge server for incoming traffic from the Internet.

    I have instructions on what you need to do here:
    http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

    Once you have the replacement certificate in place, the others can be removed.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment

    Working...
    X