Exchange Certificate Expired (Exchange 2007)

Home Forums Messaging Software Exchange 2007 / 2010 / 2013 Exchange Certificate Expired (Exchange 2007)

Viewing 1 post (of 1 total)
  • Author
  • Avatar

    Remoted into work today and saw that Outlook 2010 was complaining about the Exchange Certificate expiring. Sounded familiar, so I dug into the sparse notes left by my predecessor:

    Exchange Server:
    Once a quarter, log into and do the following:
    Open Exchange Management Shell
    Run New-ExchangeCertificate
    Wait a minute
    Run Get-ExchangeCertificate to view status
    Import new certificate in IIS.

    Yeah, LOVE the detail. Since I’m no Exchange expert, I decided to do some research:

    According to the MS article:

    The first example shows running the cmdlet without arguments. When you run the New-ExchangeCertificate cmdlet without arguments, a self-signed certificate for SMTP SSL/TLS is generated. The certificate has the local computer FQDN as the Subject Name. This internal transport certificate can be used, as is, for direct trust authentication and encryption between Edge Transport servers and Hub Transport servers. The Network Services local security group is also given read access to the private key associated with the certificate. In addition, the certificate is published to Active Directory so that Exchange Server direct trust can be used to validate the authenticity of the server for mutual TLS.

    Sidenote: AFAIK this is only affecting OWA and Outlook by forcing the user to accept the cert. My Android mail and BB are working just fine.

    1. Before I do anything, I want to backup the current certificate. As you can see by the pic I’ve attached, there’s 6 certificates on the server currently. The subject line is simply the server name (not FQDN). No idea why there’s 6 certs, or if they’re all needed or if I need to recreate them all (or if that’s all automatic upon running the New command).

    Is this the correct way to back them up?
    Export-ExchangeCertificate -Thumbprint -Path c:certificatesexport1.pfx

    2. How do I find out which certificate is the correct one (or if they’re all being used)? I checked OWA and it’s using the top most cert (the one using all of the services). AFAIK you can only use one cert at a time and therefore that’s the one, but I’m not 100% sure on that.

    3. Should I follow the aforementioned instructions from my predecessor, or do I need to do something more, e.g.

    Get-ExchangeCertificate –Thumbprint | New-ExchangeCertificate -Services “IMAP, POP, UM, IIS, SMTP”
    Get-ExchangeCertificate (to find out the new thumbprint)
    Enable-ExchangeCertificate –Thumbprint

    4. Is it necessary to import the certificate into IIS, or is that what Enable-ExchangeCertificate does?

    Comments / thoughts?

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.