Need help with Exchange 2007 certificates

Posted on 2009-12-30
Last Modified: 2012-05-08
Hey guys

I'm really getting stuck here. As an IT team of one, I'm spending the holidays lab-testing a new server running Exchange 2007 on 2008 SBS. All aspects of the server install have gone fine, but Exchange is giving me real headaches - such that I am on the brink of proposing the new server be deployed with Exchange 2003 again, simply because I can get that working!

In a nutshell, ActiveSync is not working, so no iPhone connections work, OWA is not working, and Outlook 2007 has been giving me an invalid certificate error on startup (although mysteriously this didn't do it today...)

I think all of my issues stem from invalid certificates. The Exchange Best Practices Analyser Health Check had been reporting invalid SANs on all my certificates until today. I think my same dabbling that stopped the Outlook certificate warning has also changed the Health Check results, which now show "No client authentication methods available for ActiveSync" and "Outlook Web Access configured without SSL". These 2 errors are new, and replace the certificate errors, but what's odd is that within IIS Manager, ActiveSync and OWA have "Require SSL" checked.

I feel like I need a "Reset everything related to IIS to defaults" button, followed by a "Regenerate Exchange certificates" button, but short of a reinstall I'm stuck.

One other question, why are there four certificates installed as standard. If I were up against just one, like I created for OWA on Exchange 2003, I'd feel confident, but I don't even know why there are four now?

Any help would be much appreciated.
Question by:timwatsonuk
    LVL 76

    Expert Comment

    by:Alan Hardisty
    There should only be one certificate installed by default on SBS 2008 and you should replace this with a 3rd party SAN SSL certificate if you want to get all the available features working.  Please have a read of the following for info on the restrictions of a self-certified certificate:
    Extract in case of link failure:
    • Expiration Date: The self-signed certificate expires 12 months after Exchange 2007 is installed. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
    • Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
    • Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
    • Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
    GoDaddy offer 1 Year 5 SAN SSL certificates for about $90 and you would be well advised to start off by purchasing one and then seeing what does not work.
    Mestha - EE's leading Exchange Genius has a blog on the relevant names to include on a SAN (Subject Alternative Name) certificate:

    Author Comment

    Thanks Alan.

    I see that text states that ActiveSync with a self-signed certificate doesn't encrypt communications with a mobile device. Is that new with 2007? I had a self-signed certificate on Exchange 2003 which the iPhone warned about but continued to use.

    I definitely have 4 certificates. No idea why.

    Would it be reasonable to:
    1) Delete ALL the certificates to begin with
    2) Get OWA and ActiveSync working without certificates
    3) Install a single certificate self-signed certificate
    4) Configure OWA and ActiveSync to work with the certificate
    5) Replace the certificate in due course with a GoDaddy certificate

    I don't want to delete all the certificates if that stops Exchange working - that's one of the few things that is actually working at the moment!! :)
    LVL 76

    Accepted Solution

    Yes - sadly with 2007 you really need a 3rd party SSL certificate.  I used to use a self-cert with 2003 (but had to install the cert on all devices), I then changed it for an SSL cert from GoDaddy and that saved me having to install the cert and then I upgraded to 2010 and bought a SAN SSL cert and it went very smoothyl.
    iPhones always warn about certificates no matter what - they are not a strict on SSL security as Windows Mobile devices.
    I would not necessarily delete all certificates to start with - check the one with the oldest creation date as that is probably the initial one created by SBS.  The others I would imagine that you created yourself.
    You should be able to create a new certificate by doing the following in the Exchange Management Console:
    New-ExchangeCertificate -DomainName, servername.domain.local, autodiscover.domain.local,, servername

    Enable-Exchangecertificate -thumprint IIS, SMTP, POP3
    This may make everything work initially, then you can replace this if you have problem with a GoDaddy one (or other provider).
    Mkae the changes slowly - one think I learned is that the changes are not immediate with 2007 / 2010 so if you think you made a change and got away with it scott-free, you may still get bitten later!

    Author Comment

    Thanks Alan. I think we're getting somewhere!

    This server was only installed this week, so all four certificates were created during installation. Anyway, I went ahead and zapped all four of them, and followed your advice on creating and enabling a new certificate. I then went through OWA, ActiveSync and OAB in IIS Manager and set them to use the new certificate.

    Exchange is still working (!), my iPhone is suddenly synching fine again (with certificate warnings initially), and even OWA is now working locally after a warning.

    I have just two issues I think now (if I live with the iPhone warning).

    Firstly, I am getting a certificate warning again when I open Outlook 2007. The top of the security alert says "sites" and the error is "The name on the security certificate is invalid or does not match the name of the site". Is this an OAB issue? Should "sites" be in the list of SANs for the certificate? Or do I just have some other issue with OAB/autodiscovery?

    Secondly, when I access OWA via https://sites/owa I get a certificate warning saying the certificate is not trusted.

    Any ideas?  :)
    LVL 76

    Expert Comment

    by:Alan Hardisty
    Just to check - (as I had not mentioned it) - did you change the names on the certificate you created to match your environment?
    Did you include your internal and external domain names?

    Author Comment

    My external domain is, but my server is configured as mydomain.local. My server is named carlos so I created the certificate with the domain name entries of carlos, carlos.mydomain.local and autodiscover. mydomain.local. I didn't add my external domain as the only use of this is and I didn't see the significance of this with regards to OWA or ActiveSync.

    Reading your initial link again, it seems the trusted certificate warning is just something I'm going to have to live with while I use a self-signed certificate, as is the lack of SSL on ActiveSync.

    I think that just leaves me with the Outlook certificate warning at startup for now...

    LVL 76

    Expert Comment

    by:Alan Hardisty
    OWA will need to have the URL you access OWA via added to the certificate otherwise you will get a certificate error (another one).  Activesync needs the same - so if you access via then this should be included in the certificate too.
    Can you screen dump the Outlook error for me please.

    Author Comment

    Hi Alan

    Apologies for disappearing for a couple of days - the wife ended up in hospital with meningitis!

    OK, I think it's all sorted now. The first breakthrough after our last exchange was to add Sites to the single certificate. This got OWA etc. all working. Another important thing was to go through all the SBS sites and ensure they are using the new, single certificate.

    By the way, the sysem has re-created 2 more certificates again, but I am ignoring them!!  :)

    With every passing hour and every Windows Update, something else has stopped working, and I've seen 100 different event IDs in the last 4 days, but as of tonight the error logs are clear and everything seems to be working.

    Thanks for the help. Although another dozen hours were spent battling since our discussion, I'm going to credit you with the total solution based on your following comments:-

    "New-ExchangeCertificate -DomainName, servername.domain.local, autodiscover.domain.local,, servername

    Enable-Exchangecertificate -thumprint IIS, SMTP, POP3"

    That, along with adding Sites to the list, was a real turning point. Thanks again.

    Author Closing Comment

    Further work is needed but the accepted solution is a good start.
    LVL 76

    Expert Comment

    by:Alan Hardisty
    Well I think I can forgive you for disappearing based on the Meningitis problem.  I hope that she makes a full and speedy recovery.

    Glad you are somewhat sorted now and fully understand the delights of updates 'fixing' problems and creating yet more.

    Hope you have a great 2010.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now