Solved

Exchange Server 2007 certificate has been renewed

Posted on 2011-03-10
30
513 Views
Last Modified: 2012-05-11
The Exchange server in our environment has been renewed but users are still getting that annoying message about certificate, and even when you check OWA, that certificate issue comes on. I also noticed something strange when the certificate was renewed it showed that it will expire after 5 years. What could be wrong, I ran the get-ExchangeCertificate |fl, the output is as follows


         
[PS] C:\Windows\system32>get-ExchangeCertificate |fl
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {DOHS-EL-EX01, DOHS-ELT-EX01.echouse.co.za}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=DOHS-EL-EX01
NotAfter           : 2/25/2016 12:08:17 PM
NotBefore          : 2/25/2011 12:08:17 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 6B105104DACAF9A044B74D6E0579E9E5
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=DOHS-EL-EX01
Thumbprint         : FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598



0
Comment
Question by:nobs
  • 16
  • 8
  • 6
30 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35093457
sounds like you are using a self signed certificate.

Can you try the following utility for managing your SSL Certificate in Exchange 2007: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/

I also notice you don't have the autodiscover.echouse.co.za in your certificate which is a requirement under normal circumstances with Exchange 2007
0
 

Author Comment

by:nobs
ID: 35093642
Let me try enabling autodiscover and then check out the utility
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35093791
Also check if you have saved the certified in local store on user's machine in that case you need to update the old cert with the new one
0
 

Author Comment

by:nobs
ID: 35093887
How do i enable the autodiscovery, many documents are leading me in different directions.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35093890
autodiscover is enabled by default, but the autodiscover.echouse.co.za name needs to be in the certificate.
0
 

Author Comment

by:nobs
ID: 35093921
@ demazter: i have used the utility, it has been enabled
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35093923
excellent, and is it now working?
0
 

Author Comment

by:nobs
ID: 35093937
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Housing, DOHS-house-EX01, DOHS-house-EX01.echouse.co.za,
                      autodiscover.echouseg.co.za}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Housing, O=Department of Human Settlements, L=East Lond
                     on, S="", C=SA
NotAfter           : 3/10/2016 2:02:56 PM
NotBefore          : 3/10/2011 2:02:56 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1FA28981B270DD874E24AE76ABC5BC3C
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Housing, O=Department of Human Settlements, L=East Lond
                     on, S="", C=SA
Thumbprint         : 5D20E0424C06FE9901598722424AC61F0B9164D2
0
 

Author Comment

by:nobs
ID: 35093948
Let me check will get back to you now now
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35093953
Since this is a self signed cert. Do you have this cert present on client machine as well?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35093968
If they are part of the domain then the certificate should already be trusted so this isn't an issue.
0
 

Author Comment

by:nobs
ID: 35093989
Removing the old certificate gives me this error



[PS] C:\Windows\system32>Remove-ExchangeCertificate -thumbprint "FAEB8CD5F1601C5
6EB18DAE463DEF503DF8B3598"
Remove-ExchangeCertificate : The internal transport certificate cannot be remov
ed because that would cause the Microsoft Exchange Transport service to stop. T
o replace the internal transport certificate, create a new certificate. The new
 certificate will automatically become the internal transport certificate. You
can then remove the existing certificate.
Parameter name: Thumbprint
At line:1 char:27
+ Remove-ExchangeCertificate <<<<  -thumbprint "FAEB8CD5F1601C56EB18DAE463DEF50
3DF8B3598"
    + CategoryInfo          : InvalidArgument: (:) [Remove-ExchangeCertificate
   ], ArgumentException
    + FullyQualifiedErrorId : 76574613,Microsoft.Exchange.Management.SystemCon
   figurationTasks.RemoveExchangeCertificate
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35093993
Restart the Microsoft Exchange Transport Service and try again.
0
 

Author Comment

by:nobs
ID: 35094098
still getting the same error message after i have restarted even the server
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35094103
Are you still getting the error on the clients though?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:nobs
ID: 35094155
yes they are,,,
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35094165
Demazter don't you think that i would need a CA to validate self signed cert.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35094880
For Testing purpose, export the cert

http://technet.microsoft.com/en-us/library/aa996305%28EXCHG.80%29.aspx

you can choose not to give password attribute

and import and store it in local cert store on client machine
or simply try to open owa and save the cert to local client store from there

Regarding remove-cert

can you post get-exchangecert output
don't use fl
0
 

Author Comment

by:nobs
ID: 35094964
[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
2CCBA5F5592FF75D225810F5FE038BA91B63E489  IP..S      CN=DOHS-CENT-EX01.echou...
FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598  IP.WS      CN=DOHS-CENT-EX01
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35095512
Hi,

FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598  IP.WS      CN=DOHS-CENT-EX01

is associated with web services owa.

sign below mentioned cert for web service

2CCBA5F5592FF75D225810F5FE038BA91B63E489  IP..S      CN=DOHS-CENT-EX01.echou...

then try to remove it
0
 

Author Comment

by:nobs
ID: 35095596
Now how do i enable autodiscover for echousing.gov.za, because the minute i remove the one below, am left with this

[PS] C:\Windows\system32>Get-ExchangeCertificate |fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {DOHS-CENT-EX01, DOHS-CENT-EX01.echousing.gov.za}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=DOHS-CENT-EX01
NotAfter           : 2/25/2016 12:08:17 PM
NotBefore          : 2/25/2011 12:08:17 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 6B105104DACAF9A044B74D6E0579E9E5
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=DOHS-CENT-EX01
Thumbprint         : FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598
0
 

Author Comment

by:nobs
ID: 35106488
@ v-2nas am interested in the CA certificates that can be used to validate self signed certificate
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35106575
For Autodiscover

http://technet.microsoft.com/en-us/library/aa998327%28EXCHG.80%29.aspx

IncludeAutoDiscover Optional System.Management.Automation.SwitchParameter

Use this parameter to add the prefix, "autodiscover" to each domain name that is generated for the resulting certificate. You can only specify this parameter when you are running this cmdlet on an Exchange Server That Has the Client Access server role installed. Note: This parameter will not add the "autodiscover" prefix if the domain name already contains the prefix.

Also check Services. [All in above link]

To Setup Trusted Internal Certificates in itself is another complete(little complex) topic. I would suggest you going through PKI [Public Key Infrastructure deployment guide] available at technet.microsoft.com
0
 

Author Comment

by:nobs
ID: 35108064
I managed to troubleshoot some more and i found that there was a CA server around that had crashed and all the machines are still getting this certificate from there.

Now how do i configure the Certificate Authority to manage exchange certificates ?
0
 

Author Comment

by:nobs
ID: 35108567
How to publish Exchange certificate VIA CA, since CA was installed after Exchange certificate had been issued
0
 

Author Comment

by:nobs
ID: 35138321
I managed to figure it out, There was a server that was running CA before which had crashed, no one told me about it only when i was troubleshooting from the client side i saw the path that its originating from the server that had crashed. Exchange Server certificates are fine.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35138367
:) Good to know you got the culprit.
0
 

Accepted Solution

by:
nobs earned 0 total points
ID: 35138490
@ v-2nas: but now they have not been backing up their CA databases of the crashed server, and outlook on the user side still shows the path of the old server which has now been rebuilt again. This server was a domain controller and running the enterprise root CA for the domain. Since the crash all the machines in the domain even now are still seeing that old CA server
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35138572
It must be coming from GPO, I haven't worked much with CA,
0
 

Author Closing Comment

by:nobs
ID: 35178900
THe root of the problem was a crashed CA server which we discovered from examining the user certificate path
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Lync 2013 and Skype for Business 4 23
How to synch Office 365 with AD in hybrid mode? 7 35
outlook 15 44
outlook 3 34
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now