[Webinar] Streamline your web hosting managementRegister Today


Replace a expired SSL Certificate for Exchange by a selfcertificated

Posted on 2010-03-23
Medium Priority
Last Modified: 2012-05-09

We use a single Exchange 2007 Enterprise on Windows server 2008 x64

We had a SSL certificate that expired last week. The OWA clients gets a warning (but can access) and ActiveSync clients don't work.

We don't want to renew the certificate and want to create a selfcertificate one, using exchange powershell. The certificate is created and I can see it in IIS certificates, the OWA clients can access webmail (they get a warning of non secure certificate). But active sync clients don't work. They get a "non valid certificate error" 0x80072F0D. Outlook 2007 get an error too, but work. Outlook 2003 don't work, they can't connect to server.

Have I missed something?

I use this command to create the certificate:

New-ExchangeCertificate -DomainName "mail.secdor.com", "exchange" -Services "IIS"

"mail.secdor.com" is the external name of our webmail. "exchange" is the internal name of our exchange server.

thank you
Question by:xuti
  • 2
  • 2
  • 2
LVL 12

Accepted Solution

Jeff_Schertz earned 1000 total points
ID: 28344388
You can't use a self-signed certificate to support ActiveSync clients as the Windows Mobile devices will not trust the issuer of the certificate.  You'll need to either submit a certificate request against an internal Windows CA and then import the root/issuing CA's certificate into each WinMo device (complicated) or purchase a trusted third-party certificate that the WinMo devices already trust by default (easier).
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1000 total points
ID: 28346944
For reference:


Self Certified Certificate Restrictions on Exchange 2007

Author Comment

ID: 28350208
Can I sign a certificate using the Windows Certification Authority? Will it be valid?
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

LVL 12

Expert Comment

ID: 28350599
Yes, but as I pointed out in my original message you'd have to add the Windows CA certificate to the Trusted list of CAs on all of your Windows Mobile devices.  Depending on the number of devices and if you are using any sort of management solution this could be a large undertaking.  If it's only for a few devices then it can be done manually.

See this article for more details: http://support.microsoft.com/kb/915840
LVL 76

Expert Comment

by:Alan Hardisty
ID: 28350858
Here is the relevant part of the link that I posted earlier:
Limitations of the Self-Signed Certificate
The following list describes some limitations of the self-signed certificate. Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.

Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.

Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.

Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.


Author Comment

ID: 28352899
Thank you very much for your help. We have test the .cer in a Windows Mobile and in a Windows XP client and works fine. We use few windows mobile devices (only 4) and by the moment, we will use this self signed certificate.


Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Good news! Plesk 12.5 (with update #28 and above) now includes support for HTTP/2. This is a major update to HTTP1.1, which is over 15 years old. Read below to learn how to enable HTTP/2 on your Media Temple DV with Plesk.
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month8 days, 19 hours left to enroll

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question