Correct methods and steps for renewing certificates for Exchange 2007
Hi,
I have two Exchange 2007 servers that are coming up on their 1yr anniversary. Both are now logging events that their certificates will expire soon. I have read a great deal of the documentation but I am still unclear on the correct steps for renewing the certs. Here are the details:
1) Edge server that has a self signed cert for smtp-tls communication. Some say renewing is as easy as
"get-exchangecertificate -thumbprint [oldcertsthumbprint] | new-exchangecertificate -services smtp"
followed by
"enable-exchangecertificat
With no other steps needed.
Others say I need to re-subscribe the Edge to the organization and restart the edgesynch service after I have done the steps above.
What is correct?
2) Hub/CAS server that has a Trusted ThirdParty CA cert that was installed in IIS before Exchange was installed and a self-signed cert that was created by install. Both are up for renewal. After I installed Exchange I had to enable SMTP on the CA cert and everything worked fine. Most documentation says I need to generate a new CA cert request using new-exchangecertificate with the -generaterequest switch. But I don't want a new CA one. I want to renew the CA one I have. I saw in the msexchangeteam blog that I can renew using the IIS manager but other places say don't use the mmc for Exchange certs or they won't work. Is that just a warning because you would have to enable the services for the cert? Can I renew in IIS and then enable the smtp, imap, pop services on the cert using the cmdlets? Also, if I do not renew the self-signed one, will internal hub to edge communication still work?
Thanks,
I have two Exchange 2007 servers that are coming up on their 1yr anniversary. Both are now logging events that their certificates will expire soon. I have read a great deal of the documentation but I am still unclear on the correct steps for renewing the certs. Here are the details:
1) Edge server that has a self signed cert for smtp-tls communication. Some say renewing is as easy as
"get-exchangecertificate -thumbprint [oldcertsthumbprint] | new-exchangecertificate -services smtp"
followed by
"enable-exchangecertificat
With no other steps needed.
Others say I need to re-subscribe the Edge to the organization and restart the edgesynch service after I have done the steps above.
What is correct?
2) Hub/CAS server that has a Trusted ThirdParty CA cert that was installed in IIS before Exchange was installed and a self-signed cert that was created by install. Both are up for renewal. After I installed Exchange I had to enable SMTP on the CA cert and everything worked fine. Most documentation says I need to generate a new CA cert request using new-exchangecertificate with the -generaterequest switch. But I don't want a new CA one. I want to renew the CA one I have. I saw in the msexchangeteam blog that I can renew using the IIS manager but other places say don't use the mmc for Exchange certs or they won't work. Is that just a warning because you would have to enable the services for the cert? Can I renew in IIS and then enable the smtp, imap, pop services on the cert using the cmdlets? Also, if I do not renew the self-signed one, will internal hub to edge communication still work?
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No cert expiration on Hub should not affect mailflow within the org (e.g. hub to hub). Now it could affect things for Domain Secure and third-party mail flow, however. However as a best practice, you should update the certificate when it nears expiration.
1. you should not used self signed for Owa etc... however user most likely would just get an error if they expire but as stated above you should keep them updated.
1. you should not used self signed for Owa etc... however user most likely would just get an error if they expire but as stated above you should keep them updated.
ASKER
Follow-up...
The renewal on the edge server required a resubscribe and a restart of ADAM just as ATIG suggested. Resubscribes overwrite the existing one so it was pretty painless.
I did not risk trying to use IIS to renew the third-party cert on the Hub server. After I was comfortable with the PowerShell syntax
(with help from this online generator https://www.digicert.com/easy-csr/exchange2007.htm)
I added a couple of switches like -FriendlyName and it was pretty painless too.
I did have a short period of ~15 minutes that mail stopped flowing from the edge to the hub and back after I enabled the new third-party cert on the hub. The edge complained of not being able to verify the cert in the event logs. I decided to resubscribe the edge again. However, it started working again after I exported the xml on the edge but before I imported it on the hub. It may have worked itself out during the normal refresh period and not needed a resubscribe if I had been more patient. I followed through on the resubscribe anyway and all is flowing again.
Some URLS that helped me out:
New-ExchangeCertificate: http://technet.microsoft.com/en-us/library/bb691010(EXCHG.80).aspx
EHLO blogs: http://msexchangeteam.com/archive/2007/04/30/438249.aspx
EHLO blogs: http://msexchangeteam.com/archive/2007/02/19/435472.aspx
PS Exchange cert request generator: https://www.digicert.com/easy-csr/exchange2007.htm
The renewal on the edge server required a resubscribe and a restart of ADAM just as ATIG suggested. Resubscribes overwrite the existing one so it was pretty painless.
I did not risk trying to use IIS to renew the third-party cert on the Hub server. After I was comfortable with the PowerShell syntax
(with help from this online generator https://www.digicert.com/easy-csr/exchange2007.htm)
I added a couple of switches like -FriendlyName and it was pretty painless too.
I did have a short period of ~15 minutes that mail stopped flowing from the edge to the hub and back after I enabled the new third-party cert on the hub. The edge complained of not being able to verify the cert in the event logs. I decided to resubscribe the edge again. However, it started working again after I exported the xml on the edge but before I imported it on the hub. It may have worked itself out during the normal refresh period and not needed a resubscribe if I had been more patient. I followed through on the resubscribe anyway and all is flowing again.
Some URLS that helped me out:
New-ExchangeCertificate: http://technet.microsoft.com/en-us/library/bb691010(EXCHG.80).aspx
EHLO blogs: http://msexchangeteam.com/archive/2007/04/30/438249.aspx
EHLO blogs: http://msexchangeteam.com/archive/2007/02/19/435472.aspx
PS Exchange cert request generator: https://www.digicert.com/easy-csr/exchange2007.htm
ASKER
What about the CA cert on the cas/hub server? The one that supports SMTP, IIS, POP3 and IMAP. Do I just generate a new request or can I renew the one I have through IIS?