Link to home
Start Free TrialLog in
Avatar of saxcoach
saxcoach

asked on

Exchange 2007 Server SSL Certificate Renewal

I recently tried to renew a godaddy SSL cert to replace the same exact one installed two years ago. This process has been a complete circus--all instructions found on the net and on the godaddy site give many different ways--but incomplete-- of how to successfully complete this. Needless to say, the initial install failed using the Command shell with error "Private Key missing". After contacting godaddy, I was instructed to "rekey" the ssl cert as a new one instead of a renewal by creating a new CSR. I installed that one in IIS, and it appeared to install correctly. Outlook reports seeing the new cert, as well as Outlook Web Access. Even doing an SSL certificate check using www.digicert.com/help returns a successful install of a new cert. All mobile devices, Outlook clients and web clients appear to work normally.
HOWEVER, the exchange server reports in the Event Viewer that the SSL certificate is expired, and Thunderbird also reports it that way from off site. There must be a way to convince the Exchange server that the new cert is not-expired, as well as Thunderbird. Any ideas?
Avatar of BrianKronberg
BrianKronberg
Flag of United States of America image

First, do not use IIS to configure Exchange certificates.

Second, delete all of your certificates (back them up first just in case) and then create a new request.  I recommend using Digitcert's CSR wizard to help you with the powershell command.

Third, enable the certificate for use by Exchange 2007 with the powershell commandlet.

Finally, install the certificate that you get from GoDaddy and then confirm installation of intermediary certificates.  In the last few years all the cert vendors have started using intermediary certificates that are sometimes not automatically trusted by your servers and workstations.
If you haven't removed the old certificate then you will get these errors. You simply need to remove the old certificate. If everything else works there is no need to remove certificates etc. The old one is still there. It could also be the original self signed certificate that is causing the problem.

Run get-exchangecertificate to see what certificates are installed and enabled.

Simon.
Avatar of saxcoach
saxcoach

ASKER

Thanks--I do see multiple certs installed. The newest one doesn't show SMTP enabled, which may be why Thunderbird fails on send. I need to read up on removing certs with the Power shell....and then use the CSR request from Digicert to rekey the ssl cert for all services and SANs. Sound correct?
Run get-exchangecertificate to list all of the certs
find the thumbnail for the one you want to remove
run remove-exchangecertificate -thumbnail "xxxxxxxxxxxxxxxxxxxxxxxxx"

Then, choose the thumbnail you want to use for SMTP and then run
enable-exchangecertificate -thumbnail "xxxxxxxxxxxxxxxxxxxxxx" -services smtp

Look here for some more info.
http://technet.microsoft.com/en-us/library/aa998840(EXCHG.80).aspx
Doh, I said thumbnail twice when I meant thumbprint.  Yeah, I am tired.
Disregard the enable-exchangecertificate line.  I gave a partial answer to another question in here.  I guess I am trying to answer too fast.

The removal can still be done with this

Run get-exchangecertificate to list all of the certs
find the thumbprint for the one you want to remove
run remove-exchangecertificate -thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxx"
Thanks for the help. I get an error message trying to remove the expired certificate "The Internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the Internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate.

I will post a screen shot momentarily.

That is because it is assigned to the SMTP service.  You need to create a new internal certificate and assign it to SMTP so your transport service can use it.  An internal/self-signed certificate is fine for SMTP as long as you are not doing TLS SMTP with another Exchange organization.
Can I enable the SMTP service for the new certificate that is installed? Will that allow me to remove the old cert?
ASKER CERTIFIED SOLUTION
Avatar of BrianKronberg
BrianKronberg
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Stuck with it till it was answered. Thanks!
Avatar of Tony J
You could try changing the FQDN on the receive connector.

Change it to null so it is blank. Then restart transport services and attempt to remove the certificate again.