SelfSigned Certificate on Exchange 2007 server with a RootCAType of Group Policy
I ran the get-exchangecertificate | fl command on my exchange 2007 server and noticied the SelfSigned certificate (which is set to expire soon) has a RootCAType of Group Policy. All my other exchange servers have selfsigned certs that have RootCAType set to none. Question 1: If I generate a new cert will the RootCAType revert back to none? Question 2: How can I find the the selfsigned cert in group policy? Question 3: Is it possible to generate a selfsigned cert with a RootCAType of Group policy? Thank you
August 3rd, 2011 10:33am

Hi Here's one link for understanding the self signed certificates http://technet.microsoft.com/en-us/library/bb851554%28EXCHG.80%29.aspx For renewing the self signed certificate you can use the cmd: Get-ExchangeCertificate -thumbprint “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx” | New-ExchangeCertificate http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html Anyway, it's recommended using either Windows CA PKI or 3rd part certificate for best user experience and security Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 10:05am

Jonas, Thanks for your reply. At this time we are only concerned with Self-Signed Certificates. I have a couple of questions. 1) I know the Technet article states that SelfSigned Certs by default hace a RootCAType of "None". How would a SelfSigned Cert then show a RootCAType of "Group Policy"? 2) Would I see the same functionality if I have a Self Signed cert with a RootCAType of "None" or "Group Policy" 3) Please refer to my questions from the original post. Thank you
August 4th, 2011 1:22pm

Hello, “RootCAType: GroupPolicy” - An internal, private PKI root CA that has been deployed with Group Policy. Therefore, for your questions: 1. No, the new created certificate will not be “GroupPolicy” 2 & 3: You can refer to the following link to do the group policy: http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates-part2.html Thanks, Simon
Free Windows Admin Tool Kit Click here and download it now
August 5th, 2011 2:19am

Simon, I have some follow up questions: 1) How can I view the current certificate in Group Policy? 2) Does it matter whet the RootCAType of the certificate is in order for it to function? Thanks
August 10th, 2011 9:58am

Hello 1. According to the article, you can check the GP via Group Policy Management console (GPedit.msc) 2. No, it does not matter. Thanks, Simon
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2011 9:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics