Exchange 2007 Server SSL Certificate Renewal

I recently tried to renew a godaddy SSL cert to replace the same exact one installed two years ago. This process has been a complete circus--all instructions found on the net and on the godaddy site give many different ways--but incomplete-- of how to successfully complete this. Needless to say, the initial install failed using the Command shell with error "Private Key missing". After contacting godaddy, I was instructed to "rekey" the ssl cert as a new one instead of a renewal by creating a new CSR. I installed that one in IIS, and it appeared to install correctly. Outlook reports seeing the new cert, as well as Outlook Web Access. Even doing an SSL certificate check using www.digicert.com/help returns a successful install of a new cert. All mobile devices, Outlook clients and web clients appear to work normally.
HOWEVER, the exchange server reports in the Event Viewer that the SSL certificate is expired, and Thunderbird also reports it that way from off site. There must be a way to convince the Exchange server that the new cert is not-expired, as well as Thunderbird. Any ideas?
saxcoachAsked:
Who is Participating?
 
BrianKronbergCommented:
Yes, use enable-exchangecertificate.  The link I posted previously has the details.

0
 
BrianKronbergCommented:
First, do not use IIS to configure Exchange certificates.

Second, delete all of your certificates (back them up first just in case) and then create a new request.  I recommend using Digitcert's CSR wizard to help you with the powershell command.

Third, enable the certificate for use by Exchange 2007 with the powershell commandlet.

Finally, install the certificate that you get from GoDaddy and then confirm installation of intermediary certificates.  In the last few years all the cert vendors have started using intermediary certificates that are sometimes not automatically trusted by your servers and workstations.
0
 
MesthaCommented:
If you haven't removed the old certificate then you will get these errors. You simply need to remove the old certificate. If everything else works there is no need to remove certificates etc. The old one is still there. It could also be the original self signed certificate that is causing the problem.

Run get-exchangecertificate to see what certificates are installed and enabled.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
saxcoachAuthor Commented:
Thanks--I do see multiple certs installed. The newest one doesn't show SMTP enabled, which may be why Thunderbird fails on send. I need to read up on removing certs with the Power shell....and then use the CSR request from Digicert to rekey the ssl cert for all services and SANs. Sound correct?
0
 
BrianKronbergCommented:
Run get-exchangecertificate to list all of the certs
find the thumbnail for the one you want to remove
run remove-exchangecertificate -thumbnail "xxxxxxxxxxxxxxxxxxxxxxxxx"

Then, choose the thumbnail you want to use for SMTP and then run
enable-exchangecertificate -thumbnail "xxxxxxxxxxxxxxxxxxxxxx" -services smtp

Look here for some more info.
http://technet.microsoft.com/en-us/library/aa998840(EXCHG.80).aspx
0
 
BrianKronbergCommented:
Doh, I said thumbnail twice when I meant thumbprint.  Yeah, I am tired.
0
 
BrianKronbergCommented:
Disregard the enable-exchangecertificate line.  I gave a partial answer to another question in here.  I guess I am trying to answer too fast.

The removal can still be done with this

Run get-exchangecertificate to list all of the certs
find the thumbprint for the one you want to remove
run remove-exchangecertificate -thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxx"
0
 
saxcoachAuthor Commented:
Thanks for the help. I get an error message trying to remove the expired certificate "The Internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the Internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate.

I will post a screen shot momentarily.

0
 
BrianKronbergCommented:
That is because it is assigned to the SMTP service.  You need to create a new internal certificate and assign it to SMTP so your transport service can use it.  An internal/self-signed certificate is fine for SMTP as long as you are not doing TLS SMTP with another Exchange organization.
0
 
saxcoachAuthor Commented:
Can I enable the SMTP service for the new certificate that is installed? Will that allow me to remove the old cert?
0
 
saxcoachAuthor Commented:
Stuck with it till it was answered. Thanks!
0
 
Tony JLead Technical ArchitectCommented:
You could try changing the FQDN on the receive connector.

Change it to null so it is blank. Then restart transport services and attempt to remove the certificate again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.