Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wideThe self-signed certificate meets an important need - securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It's not recommended to use these for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).
However, should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these need to be renewed - just as you would renew certificates from 3rd-party or in-house CAs.
To renew the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:Get-ExchangeCertificate -domain "e12postcard.e12labs.com" | fl
Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.Get a new certificate with a new expiration date:
Get-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate
If the existing certificate is being used for SMTP, you will get the following prompt:Confirm
Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):
Thumbprint Services Subject
---------- -------- -------
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E ..... CN=E12Postcard
Get-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" | fl
The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP - IIS is missing. To enable the certificate for IIS:
Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS
This enables the certificate for IIS (in addition to any other services it may already be enabled for - it adds to existing values of the services property).
Test services are working with the new certificate. If it works as expected, the old certificate can be removed:Remove-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F"
Related posts:- Outlook Anywhere and Exchange's Self-Signed Certificate
- Which name should I use as Common Name for my UC certificate?
- DigiCert: A Certificate Authority with excellent customer service
Labels: Administration, Exchange Server 2007, Exchange Shell, OWA, Security, SMTP
23 Comments:
Hi,
Thanks for the great outline!
Is this the same on an edge server or do you have to resubscribe for that?
Do you know if you can renew a CA cert through IIS or do you have to use the new-exchangecertificate cmd?
Thanks again!!
Thank you for the article. While playing with self-signed certificates I ran into the following problem. It happens for all new certificates. Any idea why it happens and how it can be resolved?..
- - - - - - - - - - - - - - - - - -
>>> New-ExchangeCertificate -GenerateRequest -domainname mydomaain.com -privatekeyexportable:$true -path c:\cert_myserver.txt
Thumbprint Services Subject
---------- -------- -------
433157A3B9C8C874591A5B35CF91719ADC61B427 ..... CN=mydomain.com
>>> Enable-ExchangeCertificate -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services "IIS"
Enable-ExchangeCertificate : The certificate with thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 was not found.
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services "IIS"
Do you see the certificate when you use the Get-ExchangeCertificate command?
Sorry Bharat, just got back from vacation.
Yes, strange thing is - I see it using the Get-ExchangeCertificate command, but it doesn't let me enable it!
Any idea what might be wrong?..
I have a question concerning renewing the certificate from an outside authority. Let's say this certificate was from Entrust and you wanted to renew it. Would the correct command be Get-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate -GenerateRequest -privatekeyexportable $true -Path c:\certificates\cerreq.req to renew?
Hello...I was just wondering if my last comment was correct as I have to renew my certificate soon. Thanks for the help!
Hello,
I followed the above instructions and I'm not sure this worked correctly. After running Enable-ExchangeCertificate -thumbprint "..." -Services IIS
If I run Get-ExchangeCertificate, it shows my new certificate as being enabled ONLY for IIS... I've tried running Enable-ExchangeCertificate -services SMTP (POP, IMAP) with no luck. Email still works, but I'm not sure how to check if Exchange is still using my old certificate.
Please let me know how to check if I am using the new certificate, as well as how to revert so I can try your instructions again.
Thanks!
Hi,
Thank you, this is a superb article. I have a problem, our exchange server does not have a domain name and it works on an IP address. E.f. we access ms outlook using http://123.456.789.123/owa and the outlook anywhere uses this IP. Can you pls advice me on how to create the certiciate for the local domain i.e. exchane.domain.local and IP address.
Thanks & Regards,
Sudhish
Hi -
I have imported a our new certificate and would like to enable it for "SMTP, IMAP, IIS, POP"
When I go to enable I get a big WARNING that I will not be able to use my TLS connectors??
[PS] C:\Documents and Settings\oscar.meyer>
Enable-ExchangeCertificate -ThumbPrint [XXXXX-THUMBPRINT-XXXXXX] -Services "SMTP, IMAP, POP, IIS"
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with
thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence. The
following connectors match that FQDN: Default MAIL1, Client
MAIL1.
Confirm
Overwrite existing default SMTP certificate,
'AAA-THUMBPRINT-AAAAAAA' (expires 1/01/2XXX 2:23:15 PM),
with certificate 'XXXXX-THUMBPRINT-XXXXXX' (expires 2/XX/2XXX
12:34:13 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):
I did not complete the command - the whole purpose of the CERT is for our TLS connectors to external clients - Do I just have to re-create my connectors once I have enabled the CERT?
Please advise.
Thanks.
-Johnny
Great Article Thank you so much
Luke
Thank you. Worked a treat. Had been sratching my head over this one!
http://paulhale.com
http://twitter.com/paulhale
I have followed step-1 and 2 and renew the certificate. But forgot step-3 to remove expireed certificate. Now, the issue is remains the same. Our outlook clients are still recieving same securiy certificate message.Is it because I did not delete expired certificate.
Thanks.
Thanks a lot guys. Tried the solution posted above and it worked fine for our Exchange 2007 server.
Thanks heaps this worked and now I don't get those event logs anymore relating to invalid Certificates
Hi Bharat,
Maybe you could help me i have my certificate configured as you discribed hier. my user a having this error offlineaddressbookdata can not be found the URL can not befound 0X8004010f.
Using out of office assistant they get the error server is not available
thanks
Bharat,
Thanks for the post. I renewed my cert a month ago, forgot to add IIS. Rebooted this weekend and no webmail. Your post got me back up fast.
Thank you,
Mark
You saved my life - champion.
Excuse me for being such a novice, but what program are you using to do this? Tiny Get? It appears that a couple of peices of this are missing, will anybody please let me know how to accomplish this?
Thank you
These commands are all run from the Exchange Management Shell, aka, Powertoys with the Exchange Extensions....
Can any one guide me how to reinstall default exchange ceritificate after installing third pary certification expiry, because i don't want to pruchse more
Hi,
can anyone guide me how to install default exchnage certificate after expiry of third party certificate because i don't want to purchase more.
thanks,
John..
Is your problem solved because me too facing same problem. please let me what you did to solve...
Thanks for this article. Worked a treat!
Post a Comment
Links to this post:
Create a Link
<< Home