Exchange Server 2007 certificate has been renewed

The Exchange server in our environment has been renewed but users are still getting that annoying message about certificate, and even when you check OWA, that certificate issue comes on. I also noticed something strange when the certificate was renewed it showed that it will expire after 5 years. What could be wrong, I ran the get-ExchangeCertificate |fl, the output is as follows


         
[PS] C:\Windows\system32>get-ExchangeCertificate |fl
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {DOHS-EL-EX01, DOHS-ELT-EX01.echouse.co.za}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=DOHS-EL-EX01
NotAfter           : 2/25/2016 12:08:17 PM
NotBefore          : 2/25/2011 12:08:17 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 6B105104DACAF9A044B74D6E0579E9E5
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=DOHS-EL-EX01
Thumbprint         : FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598



nobsAsked:
Who is Participating?
 
nobsConnect With a Mentor Author Commented:
@ v-2nas: but now they have not been backing up their CA databases of the crashed server, and outlook on the user side still shows the path of the old server which has now been rebuilt again. This server was a domain controller and running the enterprise root CA for the domain. Since the crash all the machines in the domain even now are still seeing that old CA server
0
 
Glen KnightCommented:
sounds like you are using a self signed certificate.

Can you try the following utility for managing your SSL Certificate in Exchange 2007: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/

I also notice you don't have the autodiscover.echouse.co.za in your certificate which is a requirement under normal circumstances with Exchange 2007
0
 
nobsAuthor Commented:
Let me try enabling autodiscover and then check out the utility
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
NavdeepCommented:
Also check if you have saved the certified in local store on user's machine in that case you need to update the old cert with the new one
0
 
nobsAuthor Commented:
How do i enable the autodiscovery, many documents are leading me in different directions.
0
 
Glen KnightCommented:
autodiscover is enabled by default, but the autodiscover.echouse.co.za name needs to be in the certificate.
0
 
nobsAuthor Commented:
@ demazter: i have used the utility, it has been enabled
0
 
Glen KnightCommented:
excellent, and is it now working?
0
 
nobsAuthor Commented:
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Housing, DOHS-house-EX01, DOHS-house-EX01.echouse.co.za,
                      autodiscover.echouseg.co.za}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Housing, O=Department of Human Settlements, L=East Lond
                     on, S="", C=SA
NotAfter           : 3/10/2016 2:02:56 PM
NotBefore          : 3/10/2011 2:02:56 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1FA28981B270DD874E24AE76ABC5BC3C
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Housing, O=Department of Human Settlements, L=East Lond
                     on, S="", C=SA
Thumbprint         : 5D20E0424C06FE9901598722424AC61F0B9164D2
0
 
nobsAuthor Commented:
Let me check will get back to you now now
0
 
NavdeepCommented:
Since this is a self signed cert. Do you have this cert present on client machine as well?
0
 
Glen KnightCommented:
If they are part of the domain then the certificate should already be trusted so this isn't an issue.
0
 
nobsAuthor Commented:
Removing the old certificate gives me this error



[PS] C:\Windows\system32>Remove-ExchangeCertificate -thumbprint "FAEB8CD5F1601C5
6EB18DAE463DEF503DF8B3598"
Remove-ExchangeCertificate : The internal transport certificate cannot be remov
ed because that would cause the Microsoft Exchange Transport service to stop. T
o replace the internal transport certificate, create a new certificate. The new
 certificate will automatically become the internal transport certificate. You
can then remove the existing certificate.
Parameter name: Thumbprint
At line:1 char:27
+ Remove-ExchangeCertificate <<<<  -thumbprint "FAEB8CD5F1601C56EB18DAE463DEF50
3DF8B3598"
    + CategoryInfo          : InvalidArgument: (:) [Remove-ExchangeCertificate
   ], ArgumentException
    + FullyQualifiedErrorId : 76574613,Microsoft.Exchange.Management.SystemCon
   figurationTasks.RemoveExchangeCertificate
0
 
Glen KnightCommented:
Restart the Microsoft Exchange Transport Service and try again.
0
 
nobsAuthor Commented:
still getting the same error message after i have restarted even the server
0
 
Glen KnightCommented:
Are you still getting the error on the clients though?
0
 
nobsAuthor Commented:
yes they are,,,
0
 
NavdeepCommented:
Demazter don't you think that i would need a CA to validate self signed cert.
0
 
NavdeepCommented:
For Testing purpose, export the cert

http://technet.microsoft.com/en-us/library/aa996305%28EXCHG.80%29.aspx

you can choose not to give password attribute

and import and store it in local cert store on client machine
or simply try to open owa and save the cert to local client store from there

Regarding remove-cert

can you post get-exchangecert output
don't use fl
0
 
nobsAuthor Commented:
[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
2CCBA5F5592FF75D225810F5FE038BA91B63E489  IP..S      CN=DOHS-CENT-EX01.echou...
FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598  IP.WS      CN=DOHS-CENT-EX01
0
 
NavdeepCommented:
Hi,

FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598  IP.WS      CN=DOHS-CENT-EX01

is associated with web services owa.

sign below mentioned cert for web service

2CCBA5F5592FF75D225810F5FE038BA91B63E489  IP..S      CN=DOHS-CENT-EX01.echou...

then try to remove it
0
 
nobsAuthor Commented:
Now how do i enable autodiscover for echousing.gov.za, because the minute i remove the one below, am left with this

[PS] C:\Windows\system32>Get-ExchangeCertificate |fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {DOHS-CENT-EX01, DOHS-CENT-EX01.echousing.gov.za}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=DOHS-CENT-EX01
NotAfter           : 2/25/2016 12:08:17 PM
NotBefore          : 2/25/2011 12:08:17 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 6B105104DACAF9A044B74D6E0579E9E5
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=DOHS-CENT-EX01
Thumbprint         : FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598
0
 
nobsAuthor Commented:
@ v-2nas am interested in the CA certificates that can be used to validate self signed certificate
0
 
NavdeepCommented:
For Autodiscover

http://technet.microsoft.com/en-us/library/aa998327%28EXCHG.80%29.aspx

IncludeAutoDiscover Optional System.Management.Automation.SwitchParameter

Use this parameter to add the prefix, "autodiscover" to each domain name that is generated for the resulting certificate. You can only specify this parameter when you are running this cmdlet on an Exchange Server That Has the Client Access server role installed. Note: This parameter will not add the "autodiscover" prefix if the domain name already contains the prefix.

Also check Services. [All in above link]

To Setup Trusted Internal Certificates in itself is another complete(little complex) topic. I would suggest you going through PKI [Public Key Infrastructure deployment guide] available at technet.microsoft.com
0
 
nobsAuthor Commented:
I managed to troubleshoot some more and i found that there was a CA server around that had crashed and all the machines are still getting this certificate from there.

Now how do i configure the Certificate Authority to manage exchange certificates ?
0
 
nobsAuthor Commented:
How to publish Exchange certificate VIA CA, since CA was installed after Exchange certificate had been issued
0
 
nobsAuthor Commented:
I managed to figure it out, There was a server that was running CA before which had crashed, no one told me about it only when i was troubleshooting from the client side i saw the path that its originating from the server that had crashed. Exchange Server certificates are fine.
0
 
NavdeepCommented:
:) Good to know you got the culprit.
0
 
NavdeepCommented:
It must be coming from GPO, I haven't worked much with CA,
0
 
nobsAuthor Commented:
THe root of the problem was a crashed CA server which we discovered from examining the user certificate path
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.