Solved

Exchange 2007 SSL Certificates

Posted on 2011-02-10
3
711 Views
Last Modified: 2012-05-11
Greetings,

I had recently taken over an existing Exchange 2007 implementation and yesterday realized that the SSL certificates had expired for owa and autodiscovery.  I was able to get the certificates renewed and everything seems to be working just fine at this point.

My concern is some other self signed certificates installed within Exchange 2007 that have also expired that I need to understand and determine if I need to renew them or not.

Here is an export of all certificates installed on Exchange 2007.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {ggiht1.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ggiht1.goldengaminginc.com
NotAfter           : 2/9/2013 6:13:01 PM
NotBefore          : 2/9/2011 6:13:01 PM
PublicKeySize      : 2048
RootCAType         : Registry
Services           : UM
Status             : Valid
Subject            : CN=ggiht1.goldengaminginc.com

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.ggilv.com, ggiht1, ggiht1.goldengaminginc.com, au
                     todiscover.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=Di
                     giCert Inc, C=US
NotAfter           : 2/13/2014 3:59:59 PM
NotBefore          : 2/9/2011 4:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
Services           : IMAP, POP, UM
Status             : Valid
Subject            : CN=webmail.ggilv.com, OU=Information Technology, O=Golden
                     Gaming Inc., L=Las Vegas, S=NV, C=US

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=goldengaminginc.com, O=Golden Gaming Inc., DC=goldengam
                     inginc, DC=com
NotAfter           : 2/3/2011 8:17:21 PM
NotBefore          : 2/3/2010 2:17:21 PM
PublicKeySize      : 2048
RootCAType         : Unknown
Services           : None
Status             : Invalid
Subject            : CN=goldengaminginc.com, O=Golden Gaming Inc., DC=goldengam
                     inginc, DC=com

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.goldengaminginc.com, O=Golden Gaming Inc., DC=gold
                     engaminginc, DC=com
NotAfter           : 2/3/2011 7:40:25 PM
NotBefore          : 2/3/2010 1:40:25 PM
PublicKeySize      : 2048
RootCAType         : Unknown
Services           : None
Status             : Invalid
Subject            : CN=mail.goldengaminginc.com, O=Golden Gaming Inc., DC=gold
                     engaminginc, DC=com

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {ggiht1, ggiht1.goldengaminginc.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ggiht1
NotAfter           : 1/8/2011 5:38:36 PM
NotBefore          : 1/8/2010 5:38:36 PM
PublicKeySize      : 2048
RootCAType         : Registry
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=ggiht1



0
Comment
Question by:snosurfur
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
michael_b_smith earned 500 total points
ID: 34866141
Well, based on what you show here - you only need a new self-signed certificate for SMTP.

 The valid values for services are IIS, SMTP, POP, IMAP, UM. You don't have ANYTHING specified for IIS (which surprises me). But you have the other services handled just fine.

To create a new self-signed certificate for SMTP, just:

Get-ExchangeCertificate -DomainN ggiht1, ggiht1.goldengaminginc.com |
    New-ExchangeCertificate -Services SMTP
0
 

Author Comment

by:snosurfur
ID: 34866525
I thought not seeing anything for IIS was surprising as well.  But everything is working just fine.  Would you know what a possible cause for that is?

0
 
LVL 5

Expert Comment

by:michael_b_smith
ID: 34867094
You could have a firewall or an ISA/TMG/UAG (or similar) server which is doing SSL termination; and then forwarding the decrypted packet to the Exchange server(s).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Updating Email Addresses in exchange 2013 2 21
Exchange - Retention Policy 4 31
problem with default throttling policy 2 20
exchange, email gateway 2 27
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question