Imported renewed Exchange 2007 UCC cert broke Active Sync

I bought an Entrust UCC cert a year ago for my exchange 2007 server which has worked nicely. A year has gone by and it came time to renew it, which I did. I then imported the new exchange certificate, which seemed to go off without a hitch, but in the process, my windows mobile phone now gives me a sync error stating that the certificate is invalid on the server.

So my question is kind of two - fold. Does anything need to happen on the mobile phone after importing a new certificate (This is a trusted certificate so nothing is installed on the phone)... and secondly, do I need to restart any exchange services? I did restart IIS, but that didnt help.

Also, the certificate did appear fine after enabling it. I was able to get on my owa site no problem.

Here were the commands I ran:

Import-exchangecertificate path <full path to cert file>
Enable-exchangecertificate  thumbprint xxxxxxxxxxxxx services IIS, SMTP
LVL 2
ademboAsked:
Who is Participating?
 
ademboConnect With a Mentor Author Commented:
OK, I finally found out what was causing this. The Entrust certificate needed to have the cross certificate installed with it as well. I was told that becuase the certificate is set to expire after 2010 it needed to have that second certificate installed as well.

Thanks.
0
 
ParanormasticCryptographic EngineerCommented:
Here's the tech reference article for that command:
http://technet.microsoft.com/en-us/library/aa997231.aspx

Are you using Unified Messaging (UM)?  You might need to add that tag if you are, which could explain the phone issue.
0
 
ademboAuthor Commented:
Thanks for the response, but Im not sure what you are giving me that link for. My question was not about how to enable the certificate, but rather what needs to be done to allow the active sync to work on the windows mobile phones after the new certificate is installed.

Thanks.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
ParanormasticCryptographic EngineerCommented:
I included it in case there might have been other services you might have wanted to enable, in case you got the instructions from an example that only included what you had down.  In particular I was wondering about if you might have needed to include UC in the list (services "IIS, SMTP, POP, UC")   Thought its a little different to see SMTP included without POP - not that it isn't valid, just usually either see both or only POP.
0
 
ademboAuthor Commented:
Thanks.

No, Im not using UC nor POP.
0
 
ParanormasticCryptographic EngineerCommented:
On your exchange box, make sure things come up as expected with viewing it:
Get-ExchangeCertificate -DomainName your.domain.name

You shouldn't need to do anything else normally for the rest.  You shouldn't have to restart any services on exchange, etc. or do anythign special with ActiveSync.  The exception to this that I can think of offhand is if you are using an ISA server you will need to bounce the server.

Also, you can check to make sure that Entrust is using the same root & issuing CA certificates as your prior one did.  Pay attention to not only the name but the date in case they may have renewed their CA certificate or something - I haven't heard that they did but entrust isn't quite as heavily used as they used to be to hear as much about.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.