Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2007 Server SSL Certificate Renewal

Posted on 2009-12-22
12
Medium Priority
?
3,407 Views
Last Modified: 2012-05-08
I recently tried to renew a godaddy SSL cert to replace the same exact one installed two years ago. This process has been a complete circus--all instructions found on the net and on the godaddy site give many different ways--but incomplete-- of how to successfully complete this. Needless to say, the initial install failed using the Command shell with error "Private Key missing". After contacting godaddy, I was instructed to "rekey" the ssl cert as a new one instead of a renewal by creating a new CSR. I installed that one in IIS, and it appeared to install correctly. Outlook reports seeing the new cert, as well as Outlook Web Access. Even doing an SSL certificate check using www.digicert.com/help returns a successful install of a new cert. All mobile devices, Outlook clients and web clients appear to work normally.
HOWEVER, the exchange server reports in the Event Viewer that the SSL certificate is expired, and Thunderbird also reports it that way from off site. There must be a way to convince the Exchange server that the new cert is not-expired, as well as Thunderbird. Any ideas?
0
Comment
Question by:saxcoach
12 Comments
 
LVL 7

Expert Comment

by:BrianKronberg
ID: 26107655
First, do not use IIS to configure Exchange certificates.

Second, delete all of your certificates (back them up first just in case) and then create a new request.  I recommend using Digitcert's CSR wizard to help you with the powershell command.

Third, enable the certificate for use by Exchange 2007 with the powershell commandlet.

Finally, install the certificate that you get from GoDaddy and then confirm installation of intermediary certificates.  In the last few years all the cert vendors have started using intermediary certificates that are sometimes not automatically trusted by your servers and workstations.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 26109285
If you haven't removed the old certificate then you will get these errors. You simply need to remove the old certificate. If everything else works there is no need to remove certificates etc. The old one is still there. It could also be the original self signed certificate that is causing the problem.

Run get-exchangecertificate to see what certificates are installed and enabled.

Simon.
0
 

Author Comment

by:saxcoach
ID: 26109348
Thanks--I do see multiple certs installed. The newest one doesn't show SMTP enabled, which may be why Thunderbird fails on send. I need to read up on removing certs with the Power shell....and then use the CSR request from Digicert to rekey the ssl cert for all services and SANs. Sound correct?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 7

Expert Comment

by:BrianKronberg
ID: 26109553
Run get-exchangecertificate to list all of the certs
find the thumbnail for the one you want to remove
run remove-exchangecertificate -thumbnail "xxxxxxxxxxxxxxxxxxxxxxxxx"

Then, choose the thumbnail you want to use for SMTP and then run
enable-exchangecertificate -thumbnail "xxxxxxxxxxxxxxxxxxxxxx" -services smtp

Look here for some more info.
http://technet.microsoft.com/en-us/library/aa998840(EXCHG.80).aspx
0
 
LVL 7

Expert Comment

by:BrianKronberg
ID: 26109557
Doh, I said thumbnail twice when I meant thumbprint.  Yeah, I am tired.
0
 
LVL 7

Expert Comment

by:BrianKronberg
ID: 26109613
Disregard the enable-exchangecertificate line.  I gave a partial answer to another question in here.  I guess I am trying to answer too fast.

The removal can still be done with this

Run get-exchangecertificate to list all of the certs
find the thumbprint for the one you want to remove
run remove-exchangecertificate -thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxx"
0
 

Author Comment

by:saxcoach
ID: 26156404
Thanks for the help. I get an error message trying to remove the expired certificate "The Internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the Internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate.

I will post a screen shot momentarily.

0
 
LVL 7

Expert Comment

by:BrianKronberg
ID: 26156490
That is because it is assigned to the SMTP service.  You need to create a new internal certificate and assign it to SMTP so your transport service can use it.  An internal/self-signed certificate is fine for SMTP as long as you are not doing TLS SMTP with another Exchange organization.
0
 

Author Comment

by:saxcoach
ID: 26156689
Can I enable the SMTP service for the new certificate that is installed? Will that allow me to remove the old cert?
0
 
LVL 7

Accepted Solution

by:
BrianKronberg earned 2000 total points
ID: 26156705
Yes, use enable-exchangecertificate.  The link I posted previously has the details.

0
 

Author Closing Comment

by:saxcoach
ID: 31669133
Stuck with it till it was answered. Thanks!
0
 
LVL 26

Expert Comment

by:Tony J
ID: 33598140
You could try changing the FQDN on the receive connector.

Change it to null so it is blank. Then restart transport services and attempt to remove the certificate again.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This video discusses moving either the default database or any database to a new volume.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month20 days, 17 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question