I have been having an issue with our internal certificate on Exchange 2007 sp1. I've "cloned" the existing certificate through the exchange mgt shell, but have had no luck with the clients (Oulook 07) seeing the new cert. Did I miss a step? error message from Outlook clients: Security Alert Information you exchange with this site cannot be viewed by others. However, there is a problem with the site's securtiy certificate. The security certificate is from a trusted certifying authority. The security has expired or is not yet valid. The security certificate has a valid name. Do you want to proceed? Yes no view certificate If you click "yes" twice in a row in connects fine. But when you click "view certificate", it has the incorrect thumbprint for the new cert.

The security certificate is from a trusted certifying authority. has a check mark The security has expired or is not yet valid. has a big red X The security certificate has a valid name. has a check mark It's been more than 24 hrs since I renewed the cert, and I've restarted Exchange services and rebooted Exchange since.

Hi , I think you should remove all the certificates from client machine and than re-install them again I hope you will get done . Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, Phone: +923008210320

Remove them from the Outlook clients? How? Thanks in advance

On Sat, 10 Jul 2010 18:53:08 +0000, DavePaesch wrote: > > >The security certificate is from a trusted certifying authority. has a check mark > >The security has expired or is not yet valid. has a big red X When you look at the certificate, what are the dates? >It's been more than 24 hrs since I renewed the cert, and I've restarted Exchange services and rebooted Exchange since. I don't think you have a problem with Exchange. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

The dates are expired. 7/8/2009 to 7/8/2010 it gives me an option to Install Certificate, but I don't see where to browse to.

On Sat, 10 Jul 2010 19:21:32 +0000, DavePaesch wrote: >The dates are expired. 7/8/2009 to 7/8/2010 it gives me an option to Install Certificate, but I don't see where to browse to. Issue a new certificate and install that. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

You don't have to remove anything from the Outlook clients. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "DavePaesch" wrote in message news:42a9ac9f-fbd4-4d99-8137-406fb6449b89... Remove them from the Outlook clients? How? Thanks in advanceEd Crowley MVP "There are seldom good technological solutions to behavioral problems."

Ok so maybe I've not been clear. Exchange has a new Cert. I've already ran the "Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate" and cloned the old one. There are two thumbprints on the server. The clients are not seeing the new thumbprint or the new cert. Do I need to enable the new cert? This is just a self-signed local cert. Thanks again in-advance. Update: So I've enabled the new cert and it's not changed anything...

I don't understand what you mean about cloning the old certificate. Clients should see the certificate that's configured for IIS. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "DavePaesch" wrote in message news:908f3270-014e-4680-86ec-c2a534d2b54e... Ok so maybe I've not been clear. Exchange has a new Cert. I've already ran the "Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate" and cloned the old one. There are two thumbprints on the server. The clients are not seeing the new thumbprint or the new cert. Do I need to enable the new cert? This is just a self-signed local cert. Thanks again in-advance. Update: So I've enabled the new cert and it's not changed anything... Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I don't understand what you mean about cloning the old certificate. Clients should see the certificate that's configured for IIS. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . I ran a command in the powershell that said it would "clone" the old cert."Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate" It did, and now there are two certs, for which I am not sure of their exact location but can see the thumbprints, and that they exist. I am new to Exchange certs so excuse my ignorance. Below is the transcript from powershell, with all the specifically identifying data removed. It looks as though the new cert and old cert have different services? What did I miss? ___________________________________________* * * * * * * * * * * * * * * * * * * * * * W i n d o w s P o w e r S h e l l T r a n s c r i p t S t a r t S t a r t t i m e : 2 0 1 0 0 7 1 2 0 8 0 5 1 8 U s e r n a m e : ******* M a c h i n e : CN ( M i c r o s o f t W i n d o w s N T 5 . 2 . 3 7 9 0 S e r v i c e P a c k 2 ) * * * * * * * * * * * * * * * * * * * * * * T r a n s c r i p t s t a r t e d , o u t p u t f i l e i s c : \ M y S e s s i o n . t x t [ P S ] C : \ D o c u m e n t s a n d S e t t i n g s \ *****.**** > g e t - E x c h a n g e C e r t i f i c a t e T h u m b p r i n t S e r v i c e s S u b j e c t - - - - - - - - - - - - - - - - - - - - - - - - - NewThumbprint I P . . S C N = servername Thumbprint I P . W S C N = servername

You're talking about the self-signed certificate, then? -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "DavePaesch" wrote in message news:654072e1-db0f-4987-b50f-31a95294c3a9... I don't understand what you mean about cloning the old certificate. Clients should see the certificate that's configured for IIS. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." I ran a command in the powershell that said it would "clone" the old cert."Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate" It did, and now there are two certs, for which I am not sure of their exact location but can see the thumbprints, and that they exist. I am new to Exchange certs so excuse my ignorance. Below is the transcript from powershell, with all the specifically identifying data removed. It looks as though the new cert and old cert have different services? What did I miss? ___________________________________________* * * * * * * * * * * * * * * * * * * * * * W i n d o w s P o w e r S h e l l T r a n s c r i p t S t a r t S t a r t t i m e : 2 0 1 0 0 7 1 2 0 8 0 5 1 8 U s e r n a m e : ******* M a c h i n e : CN ( M i c r o s o f t W i n d o w s N T 5 . 2 . 3 7 9 0 S e r v i c e P a c k 2 ) * * * * * * * * * * * * * * * * * * * * * * T r a n s c r i p t s t a r t e d , o u t p u t f i l e i s c : \ M y S e s s i o n . t x t [ P S ] C : \ D o c u m e n t s a n d S e t t i n g s \ *****.**** > g e t - E x c h a n g e C e r t i f i c a t e T h u m b p r i n t S e r v i c e s S u b j e c t - - - - - - - - - - - - - - - - - - - - - - - - - NewThumbprint I P . . S C N = servername Thumbprint I P . W S C N = servername Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Okay. New-ExchangeCertificate just creates a new request. You must follow that command up with taking the output file and submitting it to a certificate authority unless you're generating a self-signed certificate. To see the details of the two certificates, run Get-ExchangeCertificate | fl. That should show you the expiry dates and other details of the certificates. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "DavePaesch" wrote in message news:654072e1-db0f-4987-b50f-31a95294c3a9... I don't understand what you mean about cloning the old certificate. Clients should see the certificate that's configured for IIS. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." I ran a command in the powershell that said it would "clone" the old cert."Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate" It did, and now there are two certs, for which I am not sure of their exact location but can see the thumbprints, and that they exist. I am new to Exchange certs so excuse my ignorance. Below is the transcript from powershell, with all the specifically identifying data removed. It looks as though the new cert and old cert have different services? What did I miss? ___________________________________________* * * * * * * * * * * * * * * * * * * * * * W i n d o w s P o w e r S h e l l T r a n s c r i p t S t a r t S t a r t t i m e : 2 0 1 0 0 7 1 2 0 8 0 5 1 8 U s e r n a m e : ******* M a c h i n e : CN ( M i c r o s o f t W i n d o w s N T 5 . 2 . 3 7 9 0 S e r v i c e P a c k 2 ) * * * * * * * * * * * * * * * * * * * * * * T r a n s c r i p t s t a r t e d , o u t p u t f i l e i s c : \ M y S e s s i o n . t x t [ P S ] C : \ D o c u m e n t s a n d S e t t i n g s \ *****.**** > g e t - E x c h a n g e C e r t i f i c a t e T h u m b p r i n t S e r v i c e s S u b j e c t - - - - - - - - - - - - - - - - - - - - - - - - - NewThumbprint I P . . S C N = servername Thumbprint I P . W S C N = servername Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Okay. New-ExchangeCertificate just creates a new request. You must follow that command up with taking the output file and submitting it to a certificate authority unless you're generating a self-signed certificate. To see the details of the two certificates, run Get-ExchangeCertificate | fl. That should show you the expiry dates and other details of the certificates. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . T r a n s c r i p t s t a r t e d , o u t p u t f i l e i s c : \ M y S e s s i o n . t x t [ P S ] C : \ D o c u m e n t s a n d S e t t i n g s \ *****.**** > g e t - E x c h a n g e C e r t i f i c a t e T h u m b p r i n t S e r v i c e s S u b j e c t - - - - - - - - - - - - - - - - - - - - - - - - - NewThumbprint I P . . S C N = servername Thumbprint I P . W S C N = servername Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." Yes, they are self-signed. I have no need at the moment for a CA cert. I ran the command and have created them. The output above is what I see when I run "get-exchangeCert" the Services column are a bit different, but the new one is enabled and I've stopped getting warnings on the Exchange server in the event viewer. Outlook is still giving errors site-wide. I am going to try re-installing a client somewhere, and see what that does. I have 77+ clients, so it's not a viable option to reinstall them all.

Enter the command as I typed it: Get-ExchangeCertificate | fl Let me clarify something I said earlier. If you already have a self-signed certificate, you wouldn't "clone" it to get a public certificate. In that case you would issue a New-ExchangeCertificate command with lots of paramaters specific to your requirements. And I'm not saying you need a public certificate; that would depend on how you plan to connect to Exchange. An internally generated certificate from your own enterprise CA might work for you, and I often deploy both. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "DavePaesch" wrote in message news:76e10022-e3a1-48ef-acf0-1a90364190d8... Okay. New-ExchangeCertificate just creates a new request. You must follow that command up with taking the output file and submitting it to a certificate authority unless you're generating a self-signed certificate. To see the details of the two certificates, run Get-ExchangeCertificate | fl. That should show you the expiry dates and other details of the certificates. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." T r a n s c r i p t s t a r t e d , o u t p u t f i l e i s c : \ M y S e s s i o n . t x t [ P S ] C : \ D o c u m e n t s a n d S e t t i n g s \ *****.**** > g e t - E x c h a n g e C e r t i f i c a t e T h u m b p r i n t S e r v i c e s S u b j e c t - - - - - - - - - - - - - - - - - - - - - - - - - NewThumbprint I P . . S C N = servername Thumbprint I P . W S C N = servername Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." Yes, they are self-signed. I have no need at the moment for a CA cert. I ran the command and have created them. The output above is what I see when I run "get-exchangeCert" the Services column are a bit different, but the new one is enabled and I've stopped getting warnings on the Exchange server in the event viewer. Outlook is still giving errors site-wide. I am going to try re-installing a client somewhere, and see what that does. I have 77+ clients, so it's not a viable option to reinstall them all. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

F i l t e r S c r i p t : [ P S ] C : \ D o c u m e n t s a n d S e t t i n g s \ unsername.domain> g e t - e x c h a n g e c e r t i f i c a t e | f l A c c e s s R u l e s : { S y s t e m . S e c u r i t y . A c c e s s C o n t r o l . C r y p t o K e y A c c e s s R u l e , S y s t e m . S e c u r i t y . A c c e s s C o n t r o l . C r y p t o K e y A c c e s s R u l e , S y s t e m . S e c u r i t y . A c c e s s C o n t r o l . C r y p t o K e y A c c e s s R u l e } C e r t i f i c a t e D o m a i n s : { CN, CN .domain. l o c a l } H a s P r i v a t e K e y : T r u e I s S e l f S i g n e d : T r u e I s s u e r : C N = CommonName N o t A f t e r : 7 / 9 / 2 0 1 1 1 0 : 3 5 : 1 3 A M N o t B e f o r e : 7 / 9 / 2 0 1 0 1 0 : 3 5 : 1 3 A M P u b l i c K e y S i z e : 2 0 4 8 R o o t C A T y p e : N o n e S e r i a l N u m b e r : B 9 1 1 ************************** C A 0 9 B S e r v i c e s : I M A P , P O P , S M T P S t a t u s : V a l i d S u b j e c t : C N = CommonName T h u m b p r i n t : 3 C 5 C **********************D F E 5 F A c c e s s R u l e s : { S y s t e m . S e c u r i t y . A c c e s s C o n t r o l . C r y p t o K e y A c c e s s R u l e , S y s t e m . S e c u r i t y . A c c e s s C o n t r o l . C r y p t o K e y A c c e s s R u l e , S y s t e m . S e c u r i t y . A c c e s s C o n t r o l . C r y p t o K e y A c c e s s R u l e } C e r t i f i c a t e D o m a i n s : { CN , CN . domain. l o c a l } H a s P r i v a t e K e y : T r u e I s S e l f S i g n e d : T r u e I s s u e r : C N = *************** N o t A f t e r : 7 / 8 / 2 0 1 0 5 : 1 9 : 0 6 P M N o t B e f o r e : 7 / 8 / 2 0 0 9 5 : 1 9 : 0 6 P M P u b l i c K e y S i z e : 2 0 4 8 R o o t C A T y p e : U n k n o w n S e r i a l N u m b e r : 2 8 5 5 4 8 C 6 1 A 5 8 4 8 A 1 4 B 0 4 F F 5 C 9 5 8 E D C 5 1 S e r v i c e s : I M A P , P O P , I I S , S M T P S t a t u s : I n v a l i d S u b j e c t : C N = ************* T h u m b p r i n t : 8 D 9 8 1 E 4*******************************5 F 4 6 6 Above is the output with edited fields of course. It turns out thet IIS is not enabled on the new one. that at least gives me a direction to head, I will try and get that added to the new cert. We are currently only using exchange internally, with few exceptions that only forward messages to external devices. This is certificate that was installed when Exchange was installed in 07/09 and just expired.

Enter the command as I typed it: Get-ExchangeCertificate | fl Thank you kind sir! Enabling IIS on the new cert seems to have done the trick!!! I very much appreciate it. I will have to pass this on to locals that might have similar issues. :)