exchange 2007 self signed cert expired, replaced now getting securtiy popup.

a new certificate was generated and now users are getting security alerts saying "The name on the security cert is invalid or does not match the name of the site"

says the cert is not trusted. to enable trust, install the cert in the trusted root cert auth store.

can anyone help?
Who is Participating?
Satya PathakLead Technical ConsultantCommented:
Suppose we want to create a UCC self-signed certificate. We will require the following names:

#NETBIOS name of Exchange: EX-2k7 (example)
#Internal FQDN: (example)
#External FQDN (Public name): (example) (use nslookup/ping to verify the external FQDN)
#Autodiscover name: (example)
#SubjectName: (example)

In EMS, run the following command to generate the new self-signed certificate:

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" -SubjectName "" -DomainName EX-2k7,,, -PrivateKeyExportable $True

Next enable the certificate with Enable-ExchangeCertificate cmdlet. Enable atleast IIS and SMTP.

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxx -Services POP,IMAP,SMTP,IIS

Next verify certificate has been installed using EMS/IIS Manager or both. (Sometimes you may have to remove the certificate and then install/enable certificate again).

Some important points:

1. If you are creating a self-signed certificate, it is always better to create one that has all the subject alternative names specified above. This will prevent any certificate security warnings related to name mismatch. If you are creating single-name self-signed certificate, you would have to modify internal URIs of multiple virtual directories as explained in KB940726. The other benefit of multiple SANs is avoiding event 12014 and similar events.

2. Autodiscover for non-domain joined machines will work only after record is created in external DNS

3. You will have to install the certificate in the trusted root on client machines else you will receive a certificate warning. On Vista machines, you will have to run IE with elevated privileges to be able to install the certificate when you open OWA.

4. You can use group policy to install the certificate in trusted root (applicable only to domain joined machines). Copy to file the self-signed certificate (ideally in .p7b format) and then edit the default domain policy and import the certificate into "Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities". No user intervention is required once you do this. (Users would have to install the certificate themselves on non-domain joined machines).

had this issue with outlook 2007/exchange 2003, you have to make sure you issue the root certificate to the users and not the site certificate.

certificate authority is called
mail server is called

certificate issued by for  however then has the root certificate.

The root certificate is the certificate that authenticates the certificate authority.  without this the mail server certificate is invalid to a user as they have no way of determining if the certificate is genuine. - i had to install both the root certificate and the mail server certificate to solve my issues.

To install certificate:
1. logon to Certificate authority and export the root certificate

2. save the root certificate to the desktop for easier access

4. Go to your desktop and right mouse click on the .cer file and choose install certificate

5. Click next

6. Choose “Place all certificates in the following store”

7. Click browse

8. Choose “Trusted Root Certificate Authorities”

9. Click ok

10. You will now be back at the screen in step 6, except with our selections, click next

11.  Click Finish
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
I would switch to a 3rd party UC\SAN cert.

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
With Exchange 2007 when the namespace is different from the iis vdirs you will have this problem, here is the fix:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.