Solved

Exchange 2007 SSL Certificates

Posted on 2011-02-10
3
706 Views
Last Modified: 2012-05-11
Greetings,

I had recently taken over an existing Exchange 2007 implementation and yesterday realized that the SSL certificates had expired for owa and autodiscovery.  I was able to get the certificates renewed and everything seems to be working just fine at this point.

My concern is some other self signed certificates installed within Exchange 2007 that have also expired that I need to understand and determine if I need to renew them or not.

Here is an export of all certificates installed on Exchange 2007.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {ggiht1.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ggiht1.goldengaminginc.com
NotAfter           : 2/9/2013 6:13:01 PM
NotBefore          : 2/9/2011 6:13:01 PM
PublicKeySize      : 2048
RootCAType         : Registry
Services           : UM
Status             : Valid
Subject            : CN=ggiht1.goldengaminginc.com

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.ggilv.com, ggiht1, ggiht1.goldengaminginc.com, au
                     todiscover.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=Di
                     giCert Inc, C=US
NotAfter           : 2/13/2014 3:59:59 PM
NotBefore          : 2/9/2011 4:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
Services           : IMAP, POP, UM
Status             : Valid
Subject            : CN=webmail.ggilv.com, OU=Information Technology, O=Golden
                     Gaming Inc., L=Las Vegas, S=NV, C=US

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=goldengaminginc.com, O=Golden Gaming Inc., DC=goldengam
                     inginc, DC=com
NotAfter           : 2/3/2011 8:17:21 PM
NotBefore          : 2/3/2010 2:17:21 PM
PublicKeySize      : 2048
RootCAType         : Unknown
Services           : None
Status             : Invalid
Subject            : CN=goldengaminginc.com, O=Golden Gaming Inc., DC=goldengam
                     inginc, DC=com

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.goldengaminginc.com, O=Golden Gaming Inc., DC=gold
                     engaminginc, DC=com
NotAfter           : 2/3/2011 7:40:25 PM
NotBefore          : 2/3/2010 1:40:25 PM
PublicKeySize      : 2048
RootCAType         : Unknown
Services           : None
Status             : Invalid
Subject            : CN=mail.goldengaminginc.com, O=Golden Gaming Inc., DC=gold
                     engaminginc, DC=com

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {ggiht1, ggiht1.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ggiht1
NotAfter           : 1/8/2011 5:38:36 PM
NotBefore          : 1/8/2010 5:38:36 PM
PublicKeySize      : 2048
RootCAType         : Registry
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=ggiht1



0
Comment
Question by:snosurfur
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
michael_b_smith earned 500 total points
ID: 34866141
Well, based on what you show here - you only need a new self-signed certificate for SMTP.

 The valid values for services are IIS, SMTP, POP, IMAP, UM. You don't have ANYTHING specified for IIS (which surprises me). But you have the other services handled just fine.

To create a new self-signed certificate for SMTP, just:

Get-ExchangeCertificate -DomainN ggiht1, ggiht1.goldengaminginc.com |
    New-ExchangeCertificate -Services SMTP
0
 

Author Comment

by:snosurfur
ID: 34866525
I thought not seeing anything for IIS was surprising as well.  But everything is working just fine.  Would you know what a possible cause for that is?

0
 
LVL 5

Expert Comment

by:michael_b_smith
ID: 34867094
You could have a firewall or an ISA/TMG/UAG (or similar) server which is doing SSL termination; and then forwarding the decrypted packet to the Exchange server(s).
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data‚Ķ
This video discusses moving either the default database or any database to a new volume.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now