[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

how do i renew a self signed cert in exchange 2007?

Posted on 2011-02-15
7
Medium Priority
?
550 Views
Last Modified: 2012-05-11
We run exchange 2007 here and use a self signed certificate. I am running into trouble renewing the certificate, installing it, and exporting it for use on our windows mobile devices so we can get email on our devices. If anyone has done this before I would appreciate it.
0
Comment
Question by:Jryals8900
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
7 Comments
 
LVL 1

Accepted Solution

by:
dbllp earned 2000 total points
ID: 34900341
To renew the certificate for server server.network.com, a server with CAS and HT roles installed:

Get-ExchangeCertificate -domain “server.network.com” | fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.

Get a new certificate with a new expiration date:

Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate

To create a new certificate with an exportable private key, use the PrivateKeyExportable parameter. For example:
New-ExchangeCertificate -PrivateKeyExportable $true
If the existing certificate is being used as the default SMTP certificate, you will get the following prompt. The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization.

Type y to continue. A new certificate is generated.

The new certificate is generated and enabled. Examine the new certificate:

Get-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” | fl

The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing.

You can enable the certificate for IIS (in addition to any other services it may already be enabled for — it adds to existing values of the certificate’s Services property).

Note: Once you enable a certificate for a particular Exchange Server service, there’s no way to disable it (for that service). You must remove the certificate (if the certificate is CA-issued, export the certificate along with its private key before you do so), import it again and enable it for the services you need to. This is generally not a concern with self-signed certificates— you can generate additional self-signed certificates and optionally remove the old one, since there’s no CA interaction or costs involved.

Setting the Services parameter to None does not do anything in this case.

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” -services IIS

 Test services are working with the new certificate. If it works as expected, the old certificate can be removed:

Remove-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F”

Obviously you will have the use the thumbprints from your system, mine are just examples.
0
 

Author Comment

by:Jryals8900
ID: 34900442
and how do you export it??
0
 
LVL 1

Assisted Solution

by:dbllp
dbllp earned 2000 total points
ID: 34900472
Export-ExchangeCertificate -Thumbprint <String> [-BinaryEncoded <SwitchParameter>] [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-Password <SecureString>] [-Path <String>] [-WhatIf [<SwitchParameter>]]
0
 
LVL 1

Expert Comment

by:dbllp
ID: 34900483
you only need to specify thumbprint and path.. .for path it should be like c:\certificate.pfx

but you can name it whatever, it should end in pfx if you plan to use it on devices.
0
 
LVL 1

Expert Comment

by:dbllp
ID: 34907657
sorry about that... just reposting a valid answer..

didnt think it was plagerism...as I could have typed all that out myself but why reinvent the wheel.

wont happen again... i will just type everything out myself in the future.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question