Renewing certificate on a Exchange 2007 CAS Server
Does anyone know the correct step to renew a certificate on an Exchange 2007 CAS? I think I know how to request it but my notes are a little foggy on getting the thumbprint (I forget the powershell command). Also should one remove all old certificate within the Exchange powershell, I think we did that also at last year renewal process.
July 25th, 2009 2:56am

See here:http://mike-crowley.spaces.live.com/blog/cns!C23CB95E1200929!178.entryOnce you generate the Certificate Signing Request (CSR) you can then submit it to your previously used Certificate Authority (CA). The CA will have a button on your site somewhere to renew the cert (they know its going to expire). Once you find yourself in that process on the CA site, they will ask for the CSR. Which is where you would paste in the output of the New-ExchangeCertificate command. Here is an example: New-ExchangeCertificate -GenerateRequest -Path c:\csr\CxchsrvRenewal.csr -KeySize 2048 -SubjectName "c=US, s=Maryland, l=Germantown, o=My Company, ou=Information Technology, cn=exchsrv" -DomainName autodiscover.externaldomain.com, webmail.externaldomain.com, exchsrv -PrivateKeyExportable $True After the CA is done taking your money and processing the renewal they will give you a certificate to use. Save this certificate to your exchange server and install it using the Import-ExchangeCertificate and then Enable-ExchangeCertificate command. (Again, see the above link) Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2009 3:03am

hi,an addition to mike, here is step by step information about it; Step 1: Obtain an SSL certificate There are three ways to obtain a Secure Sockets Layer (SSL) certificate: - Option 1: Use the self-signed SSL certificate that Exchange 2007 installs by default. Use of the self-signed certificate is not supported by Outlook Anywhere or the offline address book. - Option 2: Purchase an SSL certificate from a well-known certification authority (CA). - Option 3: Obtain an SSL certificate from a Windows PKI certification authority. If you choose Option 1, skip steps 2 and 3 and go straight to step 4. If you choose Option 2 or Option 3, go straight to step 2. Note: For all three options, Exchange ActiveSync will require the device to have a copy of the SSL certificate installed in the Trusted Root Certificate Store. Step 2: Generate and submit the certificate request Create a new certificate request for Secure Sockets Layer (SSL) services. 1. Open the Exchange Management Shell. 2. Run the following command, replacing domainname and friendlyname with your domain name and display name: New-ExchangeCertificate -GenerateRequest -domainname mail.contoso.msft,autodiscover.contoso.msft,myserver,myserver.internal.contoso.msft -FriendlyName mail.contoso.msft -privatekeyexportable:$true -path c:\cert_myserver.txt Note: "DomainName" is used to populate one or more domain names (FQDNs) or server names in the resulting certificate request. Note: "FriendlyName" is used to specify a display name for the resulting certificate. The display name must be fewer than 64 characters. 3. Submit the request to the certification authority and have the CA generate the certificate. Step 3: Enable the certificate on the Default Web site After your certificate has been generated, you must import it and then enable the certificate on the Default Web site. From the computer where step 2 was run, import the certificate. To import the certificate, do the following: 1. Open the Exchange Management Shell. 2. Run the following command. Import-ExchangeCertificate -path c:\newcert.cer Note: "c:\newcert.cer" is the location and name of your certificate. Copy the thumbprint of the certificate, which is the digest of the certificate data, to the clipboard by doing the following: 1. Open the Exchange Management Shell. 2. Run the following command: dir cert:\LocalMachine\My | fl 3. Locate the certificate that you just imported by finding the one that matches FriendlyName from step 2. Then copy the Thumbprint property of that certificate to the Windows Clipboard. Enable the certificate on the Default Web site by doing the following: 1. Open the Exchange Management Shell. 2. Run the following command: enable-ExchangeCertificate -thumbprint <value copied to the Clipboard> -services "IIS,IMAP,POP" 3. Using the "enable-ExchangeCertificate" cmdlet will update the certificate mapping, replacing the self-signed certificate that is installed by default with Exchange 2007 and configured in IIS, IMAP4, POP3. Step 4: Require the Client Access server virtual directories to use SSL By default, the Default Web site in IIS is configured to require SSL for all virtual directories except the offline address book virtual directory. However, you can configure additional virtual directories for each Client Access feature. You must confirm that each virtual directory is configured to require SSL. The Client Access virtual directories are as follows: - Outlook Web Access 2007 virtual directory: owa - Outlook Web Access 2003 and WebDAV virtual directories: exchange and public - Exchange ActiveSync virtual directory: Microsoft-Server-ActiveSync - Outlook Anywhere virtual directory: Rpc - Autodiscover virtual directory: Autodiscover - Exchange Web Services virtual directory: EWS - Unified Messaging virtual directory: Unified Messaging - Offline Address Book virtual directory: OAB For each of the Client Access virtual directories that you will use, open Internet Information Services (IIS) Manager, and follow these steps: 1. Under Default Web site, select the virtual directory that you want, for example, "owa". 2. Right-click the virtual directory, and then click "Properties". 3. Click the "Directory Security" tab. 4. In the "Secure Communications" section, click "Edit". 5. In the "Secure Communications" dialog box, make sure that both the "Require secure channel (SSL)" check box and the "Require 128-bit encryption" check box are selected. 6. Click "OK" to save your changes. 7. Restart the POP3 and IMAP4 services by opening the Services Windows administrative tool, selecting "Microsoft Exchange POP3" or "Microsoft Exchange IMAP4", right-clicking the name of the service, and then clicking "Restart". IIS does not have to be restarted. Read more about SSL on the Client Access server - Managing Client Access Security.regards,Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
July 25th, 2009 11:17am

Hi Did you follow the procedure mentioned in the below URLhttp://blog.flaphead.dns2go.com/archive/2009/01/17/exchange-2007-self-signed-certificate.aspxif u need to create a new SSl use this URL to create a new CSR file https://www.digicert.com/easy-csr/exchange2007.htmand the generate a SSL using ur CA server...Then reimport to your IIS....Then enable exchange services to the certificate....Already adressed by me in the forum....http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/310732bc-7668-487e-b216-05042ad6f278CheersAbu
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2009 1:18pm

Thanks to everyone for the information, this was what I was looking for.
July 25th, 2009 4:09pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics