xuti
asked on
Replace a expired SSL Certificate for Exchange by a selfcertificated
Hello,
We use a single Exchange 2007 Enterprise on Windows server 2008 x64
We had a SSL certificate that expired last week. The OWA clients gets a warning (but can access) and ActiveSync clients don't work.
We don't want to renew the certificate and want to create a selfcertificate one, using exchange powershell. The certificate is created and I can see it in IIS certificates, the OWA clients can access webmail (they get a warning of non secure certificate). But active sync clients don't work. They get a "non valid certificate error" 0x80072F0D. Outlook 2007 get an error too, but work. Outlook 2003 don't work, they can't connect to server.
Have I missed something?
I use this command to create the certificate:
New-ExchangeCertificate -DomainName "mail.secdor.com", "exchange" -Services "IIS"
"mail.secdor.com" is the external name of our webmail. "exchange" is the internal name of our exchange server.
thank you
We use a single Exchange 2007 Enterprise on Windows server 2008 x64
We had a SSL certificate that expired last week. The OWA clients gets a warning (but can access) and ActiveSync clients don't work.
We don't want to renew the certificate and want to create a selfcertificate one, using exchange powershell. The certificate is created and I can see it in IIS certificates, the OWA clients can access webmail (they get a warning of non secure certificate). But active sync clients don't work. They get a "non valid certificate error" 0x80072F0D. Outlook 2007 get an error too, but work. Outlook 2003 don't work, they can't connect to server.
Have I missed something?
I use this command to create the certificate:
New-ExchangeCertificate -DomainName "mail.secdor.com", "exchange" -Services "IIS"
"mail.secdor.com" is the external name of our webmail. "exchange" is the internal name of our exchange server.
thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, but as I pointed out in my original message you'd have to add the Windows CA certificate to the Trusted list of CAs on all of your Windows Mobile devices. Depending on the number of devices and if you are using any sort of management solution this could be a large undertaking. If it's only for a few devices then it can be done manually.
See this article for more details: http://support.microsoft.com/kb/915840
See this article for more details: http://support.microsoft.com/kb/915840
Here is the relevant part of the link that I posted earlier:
Limitations of the Self-Signed Certificate
The following list describes some limitations of the self-signed certificate. Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
Limitations of the Self-Signed Certificate
The following list describes some limitations of the self-signed certificate. Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
ASKER
Thank you very much for your help. We have test the .cer in a Windows Mobile and in a Windows XP client and works fine. We use few windows mobile devices (only 4) and by the moment, we will use this self signed certificate.
Thanks!!
Thanks!!
ASKER