Start Free Trial

asked on

Exchange Server 2007 certificate has been renewed

The Exchange server in our environment has been renewed but users are still getting that annoying message about certificate, and even when you check OWA, that certificate issue comes on. I also noticed something strange when the certificate was renewed it showed that it will expire after 5 years. What could be wrong, I ran the get-ExchangeCertificate |fl, the output is as follows

[PS] C:\Windows\system32>get-ExchangeCertificate |fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {DOHS-EL-EX01, DOHS-ELT-EX01.echouse.co.za}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=DOHS-EL-EX01
NotAfter : 2/25/2016 12:08:17 PM
NotBefore : 2/25/2011 12:08:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B105104DACAF9A044B74D6E0579E9E5
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=DOHS-EL-EX01
Thumbprint : FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598

sounds like you are using a self signed certificate.

Can you try the following utility for managing your SSL Certificate in Exchange 2007: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/

I also notice you don't have the autodiscover.echouse.co.za in your certificate which is a requirement under normal circumstances with Exchange 2007

ASKER

Let me try enabling autodiscover and then check out the utility

Also check if you have saved the certified in local store on user's machine in that case you need to update the old cert with the new one

ASKER

How do i enable the autodiscovery, many documents are leading me in different directions.

autodiscover is enabled by default, but the autodiscover.echouse.co.za name needs to be in the certificate.

ASKER

@ demazter: i have used the utility, it has been enabled

excellent, and is it now working?

ASKER

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {Housing, DOHS-house-EX01, DOHS-house-EX01.echouse.co.za,
autodiscover.echouseg.co.za}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Housing, O=Department of Human Settlements, L=East Lond
on, S="", C=SA
NotAfter : 3/10/2016 2:02:56 PM
NotBefore : 3/10/2011 2:02:56 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1FA28981B270DD874E24AE76ABC5BC3C
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=Housing, O=Department of Human Settlements, L=East Lond
on, S="", C=SA
Thumbprint : 5D20E0424C06FE9901598722424AC61F0B9164D2

ASKER

Let me check will get back to you now now

Since this is a self signed cert. Do you have this cert present on client machine as well?

If they are part of the domain then the certificate should already be trusted so this isn't an issue.

ASKER

Removing the old certificate gives me this error

[PS] C:\Windows\system32>Remove-ExchangeCertificate -thumbprint "FAEB8CD5F1601C5
6EB18DAE463DEF503DF8B3598"
Remove-ExchangeCertificate : The internal transport certificate cannot be remov
ed because that would cause the Microsoft Exchange Transport service to stop. T
o replace the internal transport certificate, create a new certificate. The new
certificate will automatically become the internal transport certificate. You
can then remove the existing certificate.
Parameter name: Thumbprint
At line:1 char:27
+ Remove-ExchangeCertificate <<<< -thumbprint "FAEB8CD5F1601C56EB18DAE463DEF50
3DF8B3598"
+ CategoryInfo : InvalidArgument: (:) [Remove-ExchangeCertificate
], ArgumentException
+ FullyQualifiedErrorId : 76574613,Microsoft.Exchange.Management.SystemCon
figurationTasks.RemoveExchangeCertificate

Restart the Microsoft Exchange Transport Service and try again.

ASKER

still getting the same error message after i have restarted even the server

Are you still getting the error on the clients though?

ASKER

yes they are,,,

Demazter don't you think that i would need a CA to validate self signed cert.

For Testing purpose, export the cert

http://technet.microsoft.com/en-us/library/aa996305%28EXCHG.80%29.aspx

you can choose not to give password attribute

and import and store it in local cert store on client machine
or simply try to open owa and save the cert to local client store from there

Regarding remove-cert

can you post get-exchangecert output
don't use fl

ASKER

[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint Services Subject
---------- -------- -------
2CCBA5F5592FF75D225810F5FE038BA91B63E489 IP..S CN=DOHS-CENT-EX01.echou...
FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598 IP.WS CN=DOHS-CENT-EX01

Hi,

FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598 IP.WS CN=DOHS-CENT-EX01

is associated with web services owa.

sign below mentioned cert for web service

2CCBA5F5592FF75D225810F5FE038BA91B63E489 IP..S CN=DOHS-CENT-EX01.echou...

then try to remove it

ASKER

Now how do i enable autodiscover for echousing.gov.za, because the minute i remove the one below, am left with this

[PS] C:\Windows\system32>Get-ExchangeCertificate |fl

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {DOHS-CENT-EX01, DOHS-CENT-EX01.echousing.gov.za}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=DOHS-CENT-EX01
NotAfter : 2/25/2016 12:08:17 PM
NotBefore : 2/25/2011 12:08:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B105104DACAF9A044B74D6E0579E9E5
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=DOHS-CENT-EX01
Thumbprint : FAEB8CD5F1601C56EB18DAE463DEF503DF8B3598

ASKER

@ v-2nas am interested in the CA certificates that can be used to validate self signed certificate

For Autodiscover

http://technet.microsoft.com/en-us/library/aa998327%28EXCHG.80%29.aspx

IncludeAutoDiscover Optional System.Management.Automation.SwitchParameter

Use this parameter to add the prefix, "autodiscover" to each domain name that is generated for the resulting certificate. You can only specify this parameter when you are running this cmdlet on an Exchange Server That Has the Client Access server role installed. Note: This parameter will not add the "autodiscover" prefix if the domain name already contains the prefix.

Also check Services. [All in above link]

To Setup Trusted Internal Certificates in itself is another complete(little complex) topic. I would suggest you going through PKI [Public Key Infrastructure deployment guide] available at technet.microsoft.com

ASKER

I managed to troubleshoot some more and i found that there was a CA server around that had crashed and all the machines are still getting this certificate from there.

Now how do i configure the Certificate Authority to manage exchange certificates ?

ASKER

How to publish Exchange certificate VIA CA, since CA was installed after Exchange certificate had been issued

ASKER

I managed to figure it out, There was a server that was running CA before which had crashed, no one told me about it only when i was troubleshooting from the client side i saw the path that its originating from the server that had crashed. Exchange Server certificates are fine.

:) Good to know you got the culprit.

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

It must be coming from GPO, I haven't worked much with CA,

ASKER

THe root of the problem was a crashed CA server which we discovered from examining the user certificate path