Avatar of bulldogsdad
bulldogsdadFlag for United States of America asked on

Replacing the self signed certificate in Exchange 2007

Many thanks in advance for those who take the time to respond!

I have inherited an Exchange Server 2007 SP1 running on a Server 2003 SP2 x64 with the self signed certificate installed. Everything is functioning properly (Outlook, OWA, transport). We are looking to implement Active Sync so i know the self signed cert can not be used for this, or at least that is what i have read. The environment is a fialry straight forward one - Single domain, two DC's (one of which is running the cert services), single exchange server. Oh yeah we are also running BES, but i am pretty sure that is not affected by any of this. Here are my questions:

~By replacing the self signed cert with either one generated by a public CA or via the Windows Cert Auth what if anything wiill need to be done to ensure that OWA and still functions propoerly.
~ I have read mixed opinions on whether you should use a trusted third party CA or one generated in house via MS Cert Auth and was wondering, for this application (Active Sync), if there was a major difference
~ Once the self signed cert is replaced, if things go awry how do you re-assign the self signed cert (I can not seem to locate the cert via the Cert Auth MMC snap in.

I have searched the MS site and have found various articles related to the above, but none that explain how to re-assign the self signed cert if you need to.

Once again, i thank everyone who responds in advance with any assistance.

Avatar of undefined
Last Comment
Chris Dent

8/22/2022 - Mon

You can export the current certificate using the Export-ExchangeCertificate cmdlet. Check the Exchange2007 helpfile on this cmdlet for information on the parameters you need to specify, e.g. thumbprint. Sample command would be:
Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Path c:\certificates\export.pfx -Password:(Get-Credential).password

Self generated certificates are not supported for ActiveSync, therefore you need to use a commercial one. If you use a self generated certificate then you have the headaches of management of the certificates, including getting them on to the devices, and then replacing the certificate when it expires.

Follow the procedure on my blog to get the certificate replaced with a commercial one.


In addition, you can then use the procedure for importing certificates to import this (self-signed) certificate again when necessary.
Your help has saved me hundreds of hours of internet surfing.
Chris Dent

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Chris Dent

Heh see I spent way too long writing that, didn't intend to repeat any of the above.


@Chris: That happens a lot here :)
Chris Dent

You think after all this time I'd get used to pressing Refresh first ;) Ah well :)

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.