Hi All, I'm a little mixed up with a few things that have just popped up and was wondering if anyone could help me out.... Ive just started working with a new client - Just verified that there are a whole bunch of certificates that are about to expire, the scenario includes Exchange and ISA 2006. I'm new to all this! 1) Warnings are popping up on my Edge server, mentioning that the Edge server's certificate and the MX record Certificate are about to expire below: Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12018 Date: 3/22/2010 Time: 8:51:16 AM User: N/A Computer: EdgeServer Description: The STARTTLS certificate will expire soon: subject: amop.smtp.domain.com, hours remaining: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. Run the New-ExchangeCertificate cmdlet to create a new certificate. Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12018 Date: 3/22/2010 Time: 8:48:07 AM User: N/A Computer: EdgeServer Description: The STARTTLS certificate will expire soon: subject: edgeserver.domain.internal, hours remaining: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. Run the New-ExchangeCertificate cmdlet to create a new certificate. Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12018 Date: 3/22/2010 Time: 8:36:11 AM User: N/A Computer: EdgeServer Description: The STARTTLS certificate will expire soon: subject: amop.domain.com, hours remaining: XXXXXXXXXXXXXXXXXXXXXXXXXXX. Run the New-ExchangeCertificate cmdlet to create a new certificate. Is this something can renew on the CA server or Exchange Server? and then apply it on the Edge Server? 2) On my Exchange Server, I did look up to verify the expiry dates of the certificates and realized that they about to expire very soon as well: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {smtp.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=servername, DC=domain, DC=internal NotAfter : 5/14/2010 2:29:49 AM NotBefore : 5/14/2008 2:29:49 AM PublicKeySize : 2048 RootCAType : Enterprise SerialNumber : XXXXXXXXXXXXXXXXXXXXX Services : SMTP Status : Valid Subject : CN=smtp.domain.com, OU=x Group, O=x Group, L=space, S=xx, C=SA Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {imap.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=Server, DC=domain, DC=internal NotAfter : 5/13/2010 9:02:49 AM NotBefore : 5/13/2008 9:02:49 AM PublicKeySize : 2048 RootCAType : Enterprise SerialNumber : XXXXXXXXXXXXXXXXXXXXX Services : IMAP Status : Valid Subject : CN=imap.domain.com, OU=x Group, O=x Group, L=space, S=xx, C=SA Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {pop3.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=servername, DC=domain, DC=internal NotAfter : 5/13/2010 9:00:26 AM NotBefore : 5/13/2008 9:00:26 AM PublicKeySize : 2048 RootCAType : Enterprise SerialNumber : 7FFBA0F3000000000031 Services : POP Status : Valid Subject : CN=pop3.domain.com, OU=x Group, O=x Group, L=space, S=xx, C=SA Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mailserver.domain.internal, mailserver, mail.domain.com , rpc.domain.com, autodiscover.domain.com, exch ange.domain.com, smtp.domain.com, imap.domain.com, pop3.domain.com, autodiscover.x.com, autodiscover.e.com, autodiscover.z.com, autodiscover.a.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=servername, DC=domain, DC=internal NotAfter : 5/12/2010 7:47:17 AM NotBefore : 5/12/2008 7:47:17 AM PublicKeySize : 2048 RootCAType : Enterprise SerialNumber : XXXXXXXXXXXXXXXXXXXXX Services : IMAP, POP, UM, IIS, SMTP Status : Valid Subject : CN=mailserver.domain.internal, OU=x Group, O=x Group, L=space, S=xx, C=SA Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXX Im really confused with this because I see there is a certificate for POP3, SMTP, IMAP and then a forth certificate that includes the 3 protocols plus UM/IIS auto discovery the OWA etc... * Will I need to renew each one, or can I just run everything with one certificate? * Once the renewal is done and applied to the IIS for OWA, UM, Outlook Any where and Active Sync. Do i just apply the same certificate to the ISA? Any advise would be great, Thanks in advance!!

Hi, 1. The current certificates are they issued by a 3rd party CA? If so you should renew it using that 3rd party CA. 2. It does look like the certificates including only a singel domain is a bit unnecessary. You have already got one SAN/UC certificate that includes all those domains and some more for autodiscover etc. It should be enough to renew only that certificate and make sure its enabled on all services. You should then apply the same certificate on the ISA. You should also go through the publishing rules on the ISA and make sure that the Web listeners uses the correct certificate. I hope that this answers your questions, please let me know if it doesn't!

Hi Martin, Thank you very much for the response, I'm losing hair over all this! :) 1) Yes it is a self assigned Certificate. Can I renew it on the CA server? and then apply it on the Edge Server? What are the consequences of this Certificate expiring? will the email flow from the Edge to Hub stop? Does it just need to exist on the Edge server? 2) So, from my understanding: I renew the Cert. for all the domains that includes all the protocols and autodiscovery etc (Everything) - Apply the previous Cert. to the IIS (OWA,UM,Outlook Everywhere, Active Sync) - Then export the same Cert that was created on the Exchange and apply it on the ISA rules. Is this all right? Will I need to recreate the Edge subscription? Im assuming if the Certificate expires, the only affected ones will be the clients, the flow of email will mantain? Thanks Again for the Help!

No worries, let's see if we can get a grip on this :) 1. On the edge server a certificate is used for TLS and Edge syncronisation, Im assuming that this certificate is used for Sync so then you should renew it using the following syntax: (change "Thumbprint" to the actual thumbprint for that certificate) Get-ExchangeCertificate –Thumbprint “Thumbprint” | New-ExchangeCertificate After the renew is done you also need to re-subscribe the edge sync. If the certificate expires the edgesync will not work. 2. Is this a self-signed cert aswell? Do you have any certificates generated by a 3rd party CA? Yes, renew the certificate for all domains, apply it on all services including smtp, pop3 and imap. Then export the certificate and apply it on the ISA web listeners. Unless you require TLS the only ones affected should be the clients.

1) The Certificate on the Edge Server has the edgeserver.domain.internal and the mx record as its subject and its where Im getting the The STARTTLS certificate will expire soon error. 2)Yes it is a self-signed certificate, no 3rd party certificates at all... and all clients require TLS, does this change anything?

1. Ah, true, read your error messages again. Since this is a self-generated crtificate from the beginning the procedure is the same as i described earlier. 2. Nope, it does not change anything, you stil need to go through the same stegs except that you can use the same procedure for renewing the certificate as in question 1.

Hi Martin, I'm about to proceed with the renewal of the Edge server, I have it all planned out (below) Get-ExchangeCertificate –Thumbprint “Old _Certificate” | New-ExchangeCertificate - Confirm the overwrite of the old certificate. new-EdgeSubscription -file “C:\subscription.xml On the Hub Server: Orgnization Configuration>Hub Transport> Creat New Edge Subscription –> browser to: subscription.xml Restart Microsoft Exchange ADAM service on Edge Server Run:start-edgesynchronization Test-edgeSynchronization (every things is ok if result’s of test command was success) Remove-ExchangeCertificate –Thumbprint “Old_Certificate” - on edge server I have two doubts: I assume I run the certificate renewal command on the Edge server? Will I need to run the (Enable-ExchangeCertificate – Thumbprint “New Thumbprint” –Services IIS) command for IIS? I'm in doubt because it it only the Edge certificate that I'm renewing... Thanks! RL

Hi, 1. Yes that is correct, if you run the commands on the Edge it will be just fine. 2. Thats right, IIS is not applicable on the Edge server so you should change IIS to SMTP instead. Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator | http://msundis.wordpress.com

Perfect, So I'll just need to run the (Enable-ExchangeCertificate – Thumbprint “New Thumbprint” –Services SMTP) command after renewing the certificate. Im assuming nothing else will be affected at this first stage? all this will be seamless to the clients, the OWA/Outlook anywhere/Active Sync will keep working and there will be no need for any certificate change on the clients end, untill i change the certificate for the Hub Server next month (question 2 on my first post).

After renewing the certificate running the enable command should be enough. This wont affect the clients since this only changes the certificate on the edge-server. Renewing the SAN certificate in question 2 will affect both clients and servers in the organization since this certificate is enabled on all services. I suggest that you do this during off hours. Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator | http://msundis.wordpress.com

Thank you very much for your help Martin! I will attempt the Edge Cert renewal the night before, holding thumbs that everything is sorted. I hate doing things for the first time!especially when the whole company relies on email to do their job. :)

No worries, Im happy to help! The process is quite straight forward but let me know if you bump in to any problems. Good luck :)Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator | http://msundis.wordpress.com

Hi Martin, All went well, the first phase is sorted. Thank you very much for your help once again! Now for the second phase, I've been digging around my servers, and have just picked up a complex scenario: The Exchange (Hub) Certificate that is setup for (IMAP, POP, UM, IIS, SMTP) is used on IIS: for RPC, OWA and Autodiscovery. On IIS there is another site called RPC_with_Cert, which has the ISA certificate applied to it (mentioned below) There is a different certificate on the ISA server, basically the same as the on on the Hub, with just another thumbprint which is applied to all the listeners. Now my dilemma starts here: the certificate that is applied to all laptops and mobile devices is completely different from any of the above and is valid for 5 years I found a note on one of the documentations left behind by the IT guy, before I started here, mentioning: " Outlook 07 does not recognize the SAN attribute for pop3/imap ans smtp protocols, therefore it was necessary to add 3 additional certificates on the Exchange: CN=imap.company.com CN=pop2.company.com CN=smtp.company.com each of these certificates has been enabled for its specific service" --- I don't quite understand how everything is working with the 5 year certificate mentioned above, seeing that it is not applied to anything on the Exchange, IIS or ISA? Do the 4 certificates make sense after what was mentioned in the 2nd point above? Thanks!

Great to hear, well done! 1. Im not sure on why they would have added another cetificate. The SAN certificate you already have should be enough. 2. It sounds like the setup is a bit more complex then it needs to be. Again, based on the hosts included in the SAN cert that single certificate should be enough for all your services. I cant see the point in using another rpc site either since your setup doesnt seem to be that complex to begin with. You have a single Exchange server publiched by ISA 2006, it cant be much more straigth on then that :) Your SAN certificate includes the following hosts: mailserver.domain.internal mailserver mail.domain.com rpc.domain.com autodiscover.domain.com exchange.domain.com smtp.domain.com imap.domain.com pop3.domain.com autodiscover.x.com autodiscover.e.com autodiscover.z.com autodiscover.a.com Which is all the hosts you need an a couple of hosts that are unnecessary in my opinion. The users connecting with IMAP and pop3 should be able to connect to mail.domain.com aswell so that makes imap and pop3 unnecessary. Acually, this should be enough: mailserver.domain.internal mailserver mail.domain.com autodiscover.domain.com autodiscover.x.com autodiscover.e.com autodiscover.z.com autodiscover.a.com Assuming you have users that needs to be able to use autodiscover for all the other domains except domain.com... But anyways, does this answer your questions? Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator | http://msundis.wordpress.com

My initial plan: 1. Renew the Certificate (one below) on the Hub server; enable it on all protocols and the IIS. 2. Take the same Certificate above and copy it onto the ISA, then apply it to all listeners. 3. Apply the same certificate on all laptops (Trusted Root Certificate Authorities division in the certificate storage) and mobile phones. Cert: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mailserver.domain.internal, mailserver, mail.domain.com, rpc.domain.com, autodiscover.domain.com,exchange.domain.com, smtp.domain.com, imap.domain.com, pop3.domain.com, autodiscover.x.com, autodiscover.e.com, autodiscover.z.com, autodiscover.a.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=servername, DC=domain, DC=internal NotAfter : 5/12/2010 7:47:17 AM NotBefore : 5/12/2008 7:47:17 AM PublicKeySize : 2048 RootCAType : Enterprise SerialNumber : XXXXXXXXXXXXXXXXXXXXX Services : IMAP, POP, UM, IIS, SMTP Status : Valid Subject : CN=mailserver.domain.internal, OU=x Group, O=x Group, L=space, S=xx, C=SA Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Now I did read that Outlook anywhere absolutly requires a 3rd party certificate (which was hard to beleive seeing that my current setup is working on a self assigned), but the work around is to use a self assigned but then copying it to the Trusted Root Certificate Authorities division f the certificate storage on the computer or mobile? That The ISA 06 imposes that the SAN be the same as the CN on the Exchange Server? Apologies about all the doubts again...just trying to clear all things before. Thank you for all the help!

The plan looks good, the certificate should be enough. Your absolutely right regarding the mobile phones, manually installing the certificate on each device will enable them to access Active Sync. When using SSL between the Exchange and ISA server the ISA need to be able to verify the Certificate CN agains the Exchange server just any other client. You can use a non-SSL connection between the ISA and the Exchange server if you are having trouble with getting this to work. No worries, if you dont ask you won't know :)Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator | http://msundis.wordpress.com

Hi Martin, Please disregard my questions above(deleted), I have figured out that all the certificates are actually generated on the private certificate authority and not self signed. So all 4 certificates on the CAS and the one on the ISA were actually issued from the CA. There is one last simple question that's getting to me before I renew them tonight, is there anyway of verifying exactly which certificate is enabled for what service? On my example above both the smtp.domain.com and the mailserver.domain.internal certificate have the SMTP mentioned on the services, does this mean both are active for the SMTP service? I assume this isn't possible, but is there anyway of checking which one is securing the SMTP? Thanks

Hi, I'm sorry for the late reply! Did you find the answer to you question from last week? If not, here is a quick answer... To see which certificate is enabled on which service use this command: get-exchangecertificate If you look under services in the resaults you will see a combination of letters. Each letter represents a specific service for which the certificate is enabled: S=SMTP I=IMAP P=POP U=Unified Messaging W=Web/IISMartin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator | http://msundis.wordpress.com

Hi Martin, Thanks for the info, was just confused because there were to Certs asscociated to SMTP (S) But all went well...I submitted the cert to the CA imported it and all went well, had to do the same on the ISA. All the certificates have exipired and all is up and running with the new ones! Thanks a lot for your help!

No worries, I'm glad it all worked out ok!Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator | http://msundis.wordpress.com