I noticed this past Friday that one of my servers had warnings (12017, 12018) saying the internal transport certificate will expire on Saturday. I ran New-ExchangeCertificate and all seemed well. This morning any users that have Outlook 2007 are seeing certificate warnings when they open Outlook. They can click through it but obviously I need to fix it. I've seen alot on technet and the forums about certificate issues and alot of confusing. Which is why i'm posting this. The servers are not exposed to the internet so these certificates are for internal use only which is why none were purchased. With that said what needs to be done to clear these warnings on the client machines. Thanks <!-- <<< -->

You will need to go through the process of creating a new certificate and have it applied to your Exchange Services (Outlook anywhere, OWA, ActiveSync...) Elie B. MCITP: EMEA|EA|SA; MCTS: Microsoft Exchange Server 2010, Configuration; Blog: http://blog.elieb.info

Hi,Did you use the self-signed certificate?You just ran the cmdlet New-ExchangeCertificate, is there any perameter with it?If you want to renew the certificate, you should run Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate -Services SMTP,POP,IMAPOtherwise, you will create a new self-signed certificate. For self-signed certificate, you need to manually import the certificate to client.Please run the cmdlet "Get-ExchangeCertificate" and post the results here.Some information share with you: Certificate Use in Exchange Server 2007http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx Managing SSL for a Client Access Server<!----> http://technet.microsoft.com/en-us/library/bb310795(EXCHG.80).aspx<!---->Frank Wang

yes the only thing I did was run New-ExchangeCertificateI now know that it created a new one instead of renewing the existing (see below)Based on what you said should I run this?Get-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 | New-ExchangeCertificate -Services IMAP, POP, IIS, SMTPIf that will clear up the Outlook client issue what should I do with the new certificate it created? Just leave it alone?[PS] C:\>Get-ExchangeCertificate Thumbprint Services Subject---------- -------- -------C810E9AD90DC0180C23CA56EFE32934AB0F6E9BD IP..S CN=servername4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 IP.WS CN=servername [PS] C:\>Get-ExchangeCertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {servername, servername.domain.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=servernameNotAfter : 1/9/2011 10:00:14 AMNotBefore : 1/9/2010 10:00:14 AMPublicKeySize : 2048RootCAType : NoneSerialNumber : F33A32106CC45FA8446D608B3E79F008Services : IMAP, POP, SMTPStatus : ValidSubject : CN=servernameThumbprint : C810E9AD90DC0180C23CA56EFE32934AB0F6E9BD AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {servername, servername.domain.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=servernameNotAfter : 1/9/2010 10:20:40 PMNotBefore : 1/9/2009 10:20:40 PMPublicKeySize : 2048RootCAType : UnknownSerialNumber : 1CD4948FBC3032914DC4B04C86983DA8Services : IMAP, POP, IIS, SMTPStatus : InvalidSubject : CN=servernameThumbprint : 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4

Hi,You should have run the cmdlet before last SaturdayGet-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 | New-ExchangeCertificate -Services IMAP, POP, IIS, SMTPThen Enable the certificateEnable-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4But now the certificate is expired.You have to use the new certificate, export it and import to client computer one by one.Dont' forget it next year. Frank Wang

I did run the new certificate command.I'm a little confused now though. Can't I just run the command I indicated and then enable it? With the information I posted what is my next step? Which certificate should I use? If I need to export a certificate and import on the clients how is that done. Also what about new clients after this is resolved. Will they be ok?

I ran theseGet-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 | New-ExchangeCertificate -Services IMAP, POP, IIS, SMTPThen Enable the certificateEnable-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4After doing that the original certificate still shows as invalidAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {servername, servername.domain.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=servernameNotAfter : 1/9/2010 10:20:40 PMNotBefore : 1/9/2009 10:20:40 PMPublicKeySize : 2048RootCAType : UnknownSerialNumber : 1CD4948FBC3032914DC4B04C86983DA8Services : IMAP, POP, IIS, SMTPStatus : InvalidSubject : CN=servernameThumbprint : 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4

Hi,The self-signed certificate expires 12 months after Exchange 2007 is installed(the status is Invalid), the outlook 2007 clients see certificate warning. Then you must create a new certificate use cmdlet New-ExchangeCertificate to create another self-signed certificate.For domain-joined outlook 2007, you don't need to export the certificate and import it to client computer. For domain-disjoined outlook 2007, you need to export the certificate and import it to client computer.Hope I can explain it more clearly.More information:Understanding the Self-Signed Certificate in Exchange 2007http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx<!----> Frank Wang

The clients are part of the domain and I did run the New-ExchangeCertificate command and Exchange did create a new one. The issue is when the users open Outlook they are getting certificate warnings. When I look at the details of the warnings it still shows the old (now expired) certificate Thumbprint. How can I either renew the Thumbprint that expired or get the clients to look for the new one. Thats the part i'm having trouble with.Thanks for all of your help

Please run the cmdlet Enable-ExchangeCertificate -Thumbprint F33A32106CC45FA8446D608B3E79F008 -Services IIS and try again.Frank Wang

I will try that. The last time I ran the enable command I did not list any services.I only need to list IIS? What about the others?

Last time you use the Get-ExchangeCertificate | fl to list the Services : IMAP, POP, SMTPIf you run the cmdlet this time , IIS will be added .Frank Wang

I'm all set now.I ran the new certificate command again and then enabled the new certificate for all of the services listed in the old certificate.I then removed the certificates that were not in use.My outlook clients are no longer getting certificate warnings.Thanks for all of your help