Exchange 2007 Self-Signed Certificate Renewal Trust & Command syntax
We are running Exchange 2007 with a Self-Signed Certificate securing IMAP, POP, and SMTP. We have a 3rd party CA for IIS Our Certs are set to expire on our CAS/Hub Server so I ran the following commands on each of my two CAS\HUBS: Get-ExchangeCertificate |FL Get-ExchangeCertificate -Thumbprint "Thumbpprint" | New-ExchangeCertificate Ran all my tests - OWA, Outlook, Citrix Outlook, Smartphones etc and all looked OK I did notice in IIS that the Cert indicated not trusted but things were working. I left the old cert in place This morning one user complained when they opened outlook that they got a cert error that it was not trusted. Another Admin in our company informed me the previous admin, I have been here 6 months, dealt with this by exporting the Cert and importing it into AD. Well found old cert in AD. As the current cert is non-exportable a web search brought me to: http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates.html So now going to redo the cert My question is on the actual syntax as I'm seeing it used slight differently from different posters. Is this correct as shown below: Not sure if PrivateKeyExportable is with :$True or as PrivateKeyExportable $true and if it is before or after the | Get-ExchangeCertificate |FL Get-ExchangeCertificate -Thumbprint Thumbprint | New-ExchangeCertificate PrivateKeyExportable:$true Get-ExchangeCertificate | fl Thumbprint.IsSelfSigned.Services $pwd = Read-Host "Enter password" -AsSecureString Enter Password: Corporate password Export-ExchangCerticate -Thumbprint NewThumbprint -enterpassword $pwd -Path c:\SelfSignedExport.pfx Then the rest is an Active Directory process per provided link.
May 11th, 2012 12:31pm

Also, when I run the command Get-ExchangeCertificate | fl Thumbprint.IsSelfSigned.Services no value is returned just a block of blank screen and the command prompt. Is this because my first set of commands did not make the certificate exportable and I also just noted I didn't enable the certificate. When I run | fl it shows the certificate value True for self-signed Note: Thumbprint in above command is as is I didn't enter the actual thumbprint. so back would this be the proper command sequence: Get-ExchangeCertificate |FL Get-ExchangeCertificate -Thumbprint ThumbprintCode | New-ExchangeCertificate PrivateKeyExportable:$true (or is it -PrivateKeyExportable $true) Get-ExchangeCertificate | fl Thumbprint,IsSelfSigned,Services NOTE: I'm getting back a list of certs including the SSL 3rd party cert. How do I get the next line to only assign password to cert I want to work with? $pwd = Read-Host "Enter password" -AsSecureString Enter Password: Corporate password Export-ExchangCerticate -Thumbprint ThumbprintCode -enterpassword $pwd -Path c:\SelfSignedExport.pfx Enable-exchangecertificate ThumbprintCode (do I need to add anything for IMAP, POP, SMTP or will it realize it due to having another cert for IIS?)
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 1:08pm

I would do it exactly as shown here in Step 1: http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates-part2.html Otherwise, you can get a 3rd party (trusted everywhere) SAN cert here for $30 to $60: https://certificatesforexchange.com/ Apparently users never read email out of the office on a computer that is not a domain member? If not, and if you don't use or need EWS or OA, then I supposed that's your business. Publishing the cert in AD will not resolve the problem externally, only internally (for domain members). Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
May 11th, 2012 3:36pm

I would do it exactly as shown here in Step 1: http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates-part2.html Otherwise, you can get a 3rd party (trusted everywhere) SAN cert here for $30 to $60: https://certificatesforexchange.com/ Apparently users never read email out of the office on a computer that is not a domain member? If not, and if you don't use or need EWS or OA, then I supposed that's your business. Publishing the cert in AD will not resolve the problem externally, only internally (for domain members). Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 3:36pm

The problem is in this tutorial it shows how to create a new certificate and we are renewing our old certificate. I need to know if the process I document utilizing a renewal of the certificate is correct including how I'm using the syntax. As per our design policy we are going this route and it has worked for us for 3 years. The previous admin didn't document how he did this so I need to make sure as I'm not an Exchange admin.
May 11th, 2012 4:38pm

Any replies I need to implement tomorrow night?
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2012 11:10am

Any replies I need to implement tomorrow night?
May 13th, 2012 11:10am

Whether you renew, or issue a new one practically it doesnt matter. Sure you will get a new thumbprint with the new cert which you will have to re-bind your services, imap, pop, smtp, iis to use. Now the main question is why are you using self signed certs? You will be shooting yourself in the foot when trying to self signed certs, just purchase the SAN certificate from a third party CA. If you go with using the self signed cert than yes you will have to publish it in AD using GPO so that it's published in all your domain user's computer\root ca store. Now this will only help with domain joined computers. I would really recommend you purchase the cert from a trusted CA. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2012 7:00pm

James and LePivert - I understand this very well but we don't have any non-domain systems accessing our E-Mail. Our IIS, OWA, and ActiveSync are already secured by a third party cert that was setup before I took over. All I'm tasked with is renewing our internal cert. So I please ask again someone please just verify the command lines I have listed.
May 13th, 2012 9:54pm

James and LePivert - I understand this very well but we don't have any non-domain systems accessing our E-Mail. Our IIS, OWA, and ActiveSync are already secured by a third party cert that was setup before I took over. All I'm tasked with is renewing our internal cert. So I please ask again someone please just verify the command lines I have listed.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2012 9:54pm

Hello, The command should be OK. Since it is a internal self-signed certificate, you may directly re-created a new certificate and enable it on the services. Thanks, Simon
May 13th, 2012 10:27pm

Hello, The command should be OK. Since it is a internal self-signed certificate, you may directly re-created a new certificate and enable it on the services. Thanks, Simon
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2012 10:27pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics