Cannot disable old certificates for services.

numb3rs1x
numb3rs1x used Ask the Experts™
on
I've installed a third-party cert for my e2k7 server, but the old cert is still presenting itself when I try to make a connection. I tried using the following commands to disable the other certs, but they don't seem to work. I don't get an error or anything, but when I use the get-certificate command, I still see that they are active for the services.

[PS] C:\Documents and Settings\administrator.HQ>get-exchangecertificate -domain
MailServer.hq.domain.com

Thumbprint                                Services   Subject
----------                                --------   -------
<Thumbprint1>  IP.WS      CN=MailServer.hq.domain...
<Thumbprint2>  IP..S      CN=Mailserver
<Thumbprint3>  IP..S      CN=*.domain.com, OU...

[PS] C:\Documents and Settings\administrator.HQ>Enable-ExchangeCertificate -Thum
bPrint <Thumbprint1> -Services "NONE"

[PS] C:\Documents and Settings\administrator.HQ>Enable-ExchangeCertificate -Thum
bPrint <Thumbprint2> -Services "NONE"

[PS] C:\Documents and Settings\administrator.HQ>get-exchangecertificate -domain
MailServer.hq.domain.com

Thumbprint                                Services   Subject
----------                                --------   -------
<Thumbprint1>  IP.WS      CN=MailServer.hq.domain...
<Thumbprint2>  IP..S      CN=Mailserver
<Thumbprint3>  IP..S      CN=*.domain.com, OU...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AkhaterSolutions Architect

Commented:
Enable-ExchangeCertificate -ThumbPrint <Thumbprint3> -Services "IMAP,SMTP,POP,IIS"

remove-exchangecertificate -ThumbPrint <Thumbprint1>
Dan ArseneauDevOps Engineer

Commented:
On the Exchange server, Start Run - MMC hit Enter.  File - Add/Remove Snap-in.  Add... - Certificates (Computer account) - Next - Finish -Close - OK.
Navigate to Certificates (Local Computer) - Personal - Certificates.  You should be able to delete from there.

Rerun enable-exchangecertificate -thumprint <thum> -services "smtp,iis,pop,imap" <-or whatever you are using it for.
AkhaterSolutions Architect

Commented:
Do not delete the self signed certificate (thumbprint2) unless your new one has the internal exchange name in it
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
By "internal exchange name":

server name: mail2007
server fqdn: mail2007.hq.domain.com

is that interchangable? My cert is set up with the fqdn of the server, but not the name of the server by itself. Does that matter?
AkhaterSolutions Architect

Commented:
it doesn't matter just keep the self signed certificate it doesn't bother you and won't affect your operation

Author

Commented:
The self-signed cert is the one giving me the trouble though. because it's set up for "mail2007" and not for "mail2007.hq.domain.com" I get certificate verification errors. I would be willing to disable its use on Services, but the commands listed above to do that don't seem to work.
AkhaterSolutions Architect

Commented:
the self signed should not give you any troubles if you run

Enable-ExchangeCertificate -ThumbPrint <Thumbprint3> -Services "IMAP,SMTP,POP,IIS"
get--ExchangeCertificate

whta is the result ?

and what certificate erros are you getting and where ?
Dan ArseneauDevOps Engineer

Commented:
There were several instances when Exchange 2007 couldn't run commands against the certificate store and I found that it was corrupting often.  Try the following process to repair the cert store:

1. Start | Run | MMC
2. Add the Certificates snapin for the Computer Account
3. Right-click the Personal store and choose All Tasks... | Import. (even if the cert is there, do this again)
a. Click Next
b. Click Browse... and locate your certificate and click Next
c. For the Certificate Store location, click Next
d. Click Finish. Click Ok to the successful message.
4. Open the Personal store and double-click the new certificate
5. Click the Details tab and click on ‘Serial number’. Write this value down
6. Open a CMD prompt and run certutil -repairstore My "########"
Dan ArseneauDevOps Engineer

Commented:
The above process is for certificates that will not accept commands like enable-exchangecertificate.  You can skip #3 and use your problematic cert.

Author

Commented:
Enable-ExchangeCertificate -ThumbPrint <Thumbprint3> -Services "IMAP,SMTP,POP,IIS"get--ExchangeCertificate

whta is the result ?

If I run this command, that would enable both the self-signed cert and the third-party cert I installed. I don't want the self-signed cert to be the one used because it will cause a warning alert when all my users will be hitting mail.domain.com. I want to avoid them getting the certificate warning every time they hit the server with their clients. This is a standard thing I though. Perhaps I'm missing the point of the self-signed cert.

and what certificate erros are you getting and where ?                          

Currently I am getting a certificate warning when using Thunderbird over an IMAP connection. It pulls the self-signed cert instead of the 3rd party cert I have installed for the service.

[PS] C:\Documents and Settings\administrator.HQ>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
B98B3E46DF8749B98ED785CB394FDF59D4358AA6  IP.WS      CN=mail2007.hq.domai...
0D094B14B16B890E240DCD29798E550A5E10A23F  IP..S      CN=mail2007

As you can see, both certs are enabled for IMAP. It looks like the self-signed cert is taking priority.
AkhaterSolutions Architect

Commented:
well just go to the mmc as DanArseneau said and delete the one you don't want

Author

Commented:
I'm sorry if I'm making this more complicated than it needs to be, but I'm unsure about just deleting it outright. When I go to the Certificate MMC and disable the self-signed cert, I get an error on my IMAP connection. Is disabling the cert the same thing as deleting it? I just want to avoid breaking SSL on the new server.

Error Code -12263 is what I get when I disable the cert.
Solutions Architect
Commented:
don't worry about deleting the self sign certificate you only need to initiate new-exchangecertificate and it will create a new one

Author

Commented:
I will try this after hours tonight.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial