No announcement yet.

Exchange Certificate Expired (Exchange 2007)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange Certificate Expired (Exchange 2007)

    Remoted into work today and saw that Outlook 2010 was complaining about the Exchange Certificate expiring. Sounded familiar, so I dug into the sparse notes left by my predecessor:

    Exchange Server:
    Once a quarter, log into <EXCHANGE 2007 SERVER> and do the following:
    Open Exchange Management Shell
    Run New-ExchangeCertificate
    Wait a minute
    Run Get-ExchangeCertificate to view status
    Import new certificate in IIS.
    Yeah, LOVE the detail. Since I'm no Exchange expert, I decided to do some research:

    According to the MS article:
    The first example shows running the cmdlet without arguments. When you run the New-ExchangeCertificate cmdlet without arguments, a self-signed certificate for SMTP SSL/TLS is generated. The certificate has the local computer FQDN as the Subject Name. This internal transport certificate can be used, as is, for direct trust authentication and encryption between Edge Transport servers and Hub Transport servers. The Network Services local security group is also given read access to the private key associated with the certificate. In addition, the certificate is published to Active Directory so that Exchange Server direct trust can be used to validate the authenticity of the server for mutual TLS.
    Sidenote: AFAIK this is only affecting OWA and Outlook by forcing the user to accept the cert. My Android mail and BB are working just fine.

    1. Before I do anything, I want to backup the current certificate. As you can see by the pic I've attached, there's 6 certificates on the server currently. The subject line is simply the server name (not FQDN). No idea why there's 6 certs, or if they're all needed or if I need to recreate them all (or if that's all automatic upon running the New command).

    Is this the correct way to back them up?
    Export-ExchangeCertificate -Thumbprint <random key from screenshot> -Path c:\certificates\export1.pfx

    2. How do I find out which certificate is the correct one (or if they're all being used)? I checked OWA and it's using the top most cert (the one using all of the services). AFAIK you can only use one cert at a time and therefore that's the one, but I'm not 100% sure on that.

    3. Should I follow the aforementioned instructions from my predecessor, or do I need to do something more, e.g.
    Get-ExchangeCertificate –Thumbprint <random key from screenshot> | New-ExchangeCertificate -Services "IMAP, POP, UM, IIS, SMTP"
    Get-ExchangeCertificate (to find out the new thumbprint)
    Enable-ExchangeCertificate –Thumbprint <new thumbprint>
    4. Is it necessary to import the certificate into IIS, or is that what Enable-ExchangeCertificate does?

    Comments / thoughts?
    Attached Files
    Last edited by Wired; 11th April 2011, 14:34.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: Exchange Certificate Expired (Exchange 2007)

    Update: Ran through what I outlined in step 3 and then distributed the certificate to client computers using Group Policy.

    Looks like it's good to go, although I'm still interested in #4.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Exchange Certificate Expired (Exchange 2007)

      Buy a certificate.

      No certificate prompts, no importing of anything on anything. Life is good.

      The self signed certificates are not supported for use with Outlook Anywhere or ActiveSync anyway.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.