Replace a expired SSL Certificate for Exchange by a selfcertificated


We use a single Exchange 2007 Enterprise on Windows server 2008 x64

We had a SSL certificate that expired last week. The OWA clients gets a warning (but can access) and ActiveSync clients don't work.

We don't want to renew the certificate and want to create a selfcertificate one, using exchange powershell. The certificate is created and I can see it in IIS certificates, the OWA clients can access webmail (they get a warning of non secure certificate). But active sync clients don't work. They get a "non valid certificate error" 0x80072F0D. Outlook 2007 get an error too, but work. Outlook 2003 don't work, they can't connect to server.

Have I missed something?

I use this command to create the certificate:

New-ExchangeCertificate -DomainName "", "exchange" -Services "IIS"

"" is the external name of our webmail. "exchange" is the internal name of our exchange server.

thank you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can't use a self-signed certificate to support ActiveSync clients as the Windows Mobile devices will not trust the issuer of the certificate.  You'll need to either submit a certificate request against an internal Windows CA and then import the root/issuing CA's certificate into each WinMo device (complicated) or purchase a trusted third-party certificate that the WinMo devices already trust by default (easier).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
For reference:

Self Certified Certificate Restrictions on Exchange 2007
xutiAuthor Commented:
Can I sign a certificate using the Windows Certification Authority? Will it be valid?
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Yes, but as I pointed out in my original message you'd have to add the Windows CA certificate to the Trusted list of CAs on all of your Windows Mobile devices.  Depending on the number of devices and if you are using any sort of management solution this could be a large undertaking.  If it's only for a few devices then it can be done manually.

See this article for more details:
Alan HardistyCo-OwnerCommented:
Here is the relevant part of the link that I posted earlier:
Limitations of the Self-Signed Certificate
The following list describes some limitations of the self-signed certificate. Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.

Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.

Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.

Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.

xutiAuthor Commented:
Thank you very much for your help. We have test the .cer in a Windows Mobile and in a Windows XP client and works fine. We use few windows mobile devices (only 4) and by the moment, we will use this self signed certificate.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.