nobs
asked on
Exchange Server 2007 certificate has been renewed
The Exchange server in our environment has been renewed but users are still getting that annoying message about certificate, and even when you check OWA, that certificate issue comes on. I also noticed something strange when the certificate was renewed it showed that it will expire after 5 years. What could be wrong, I ran the get-ExchangeCertificate |fl, the output is as follows
[PS] C:\Windows\system32>get-Ex changeCert ificate |fl
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule , System.Security.Acce
ssControl.CryptoKeyAccessR ule}
CertificateDomains : {DOHS-EL-EX01, DOHS-ELT-EX01.echouse.co.z a}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=DOHS-EL-EX01
NotAfter : 2/25/2016 12:08:17 PM
NotBefore : 2/25/2011 12:08:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B105104DACAF9A044B74D6E05 79E9E5
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=DOHS-EL-EX01
Thumbprint : FAEB8CD5F1601C56EB18DAE463 DEF503DF8B 3598
[PS] C:\Windows\system32>get-Ex
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {DOHS-EL-EX01, DOHS-ELT-EX01.echouse.co.z
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=DOHS-EL-EX01
NotAfter : 2/25/2016 12:08:17 PM
NotBefore : 2/25/2011 12:08:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B105104DACAF9A044B74D6E05
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=DOHS-EL-EX01
Thumbprint : FAEB8CD5F1601C56EB18DAE463
ASKER
Let me try enabling autodiscover and then check out the utility
Also check if you have saved the certified in local store on user's machine in that case you need to update the old cert with the new one
ASKER
How do i enable the autodiscovery, many documents are leading me in different directions.
autodiscover is enabled by default, but the autodiscover.echouse.co.za name needs to be in the certificate.
ASKER
@ demazter: i have used the utility, it has been enabled
excellent, and is it now working?
ASKER
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule , System.Security.Acce
ssControl.CryptoKeyAccessR ule}
CertificateDomains : {Housing, DOHS-house-EX01, DOHS-house-EX01.echouse.co .za,
autodiscover.echouseg.co.z a}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Housing, O=Department of Human Settlements, L=East Lond
on, S="", C=SA
NotAfter : 3/10/2016 2:02:56 PM
NotBefore : 3/10/2011 2:02:56 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1FA28981B270DD874E24AE76AB C5BC3C
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=Housing, O=Department of Human Settlements, L=East Lond
on, S="", C=SA
Thumbprint : 5D20E0424C06FE990159872242 4AC61F0B91 64D2
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {Housing, DOHS-house-EX01, DOHS-house-EX01.echouse.co
autodiscover.echouseg.co.z
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Housing, O=Department of Human Settlements, L=East Lond
on, S="", C=SA
NotAfter : 3/10/2016 2:02:56 PM
NotBefore : 3/10/2011 2:02:56 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1FA28981B270DD874E24AE76AB
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=Housing, O=Department of Human Settlements, L=East Lond
on, S="", C=SA
Thumbprint : 5D20E0424C06FE990159872242
ASKER
Let me check will get back to you now now
Since this is a self signed cert. Do you have this cert present on client machine as well?
If they are part of the domain then the certificate should already be trusted so this isn't an issue.
ASKER
Removing the old certificate gives me this error
[PS] C:\Windows\system32>Remove -ExchangeC ertificate -thumbprint "FAEB8CD5F1601C5
6EB18DAE463DEF503DF8B3598"
Remove-ExchangeCertificate : The internal transport certificate cannot be remov
ed because that would cause the Microsoft Exchange Transport service to stop. T
o replace the internal transport certificate, create a new certificate. The new
certificate will automatically become the internal transport certificate. You
can then remove the existing certificate.
Parameter name: Thumbprint
At line:1 char:27
+ Remove-ExchangeCertificate <<<< -thumbprint "FAEB8CD5F1601C56EB18DAE46 3DEF50
3DF8B3598"
+ CategoryInfo : InvalidArgument: (:) [Remove-ExchangeCertificat e
], ArgumentException
+ FullyQualifiedErrorId : 76574613,Microsoft.Exchang e.Manageme nt.SystemC on
figurationTasks.RemoveExch angeCertif icate
[PS] C:\Windows\system32>Remove
6EB18DAE463DEF503DF8B3598"
Remove-ExchangeCertificate
ed because that would cause the Microsoft Exchange Transport service to stop. T
o replace the internal transport certificate, create a new certificate. The new
certificate will automatically become the internal transport certificate. You
can then remove the existing certificate.
Parameter name: Thumbprint
At line:1 char:27
+ Remove-ExchangeCertificate
3DF8B3598"
+ CategoryInfo : InvalidArgument: (:) [Remove-ExchangeCertificat
], ArgumentException
+ FullyQualifiedErrorId : 76574613,Microsoft.Exchang
figurationTasks.RemoveExch
Restart the Microsoft Exchange Transport Service and try again.
ASKER
still getting the same error message after i have restarted even the server
Are you still getting the error on the clients though?
ASKER
yes they are,,,
Demazter don't you think that i would need a CA to validate self signed cert.
For Testing purpose, export the cert
http://technet.microsoft.com/en-us/library/aa996305%28EXCHG.80%29.aspx
you can choose not to give password attribute
and import and store it in local cert store on client machine
or simply try to open owa and save the cert to local client store from there
Regarding remove-cert
can you post get-exchangecert output
don't use fl
http://technet.microsoft.com/en-us/library/aa996305%28EXCHG.80%29.aspx
you can choose not to give password attribute
and import and store it in local cert store on client machine
or simply try to open owa and save the cert to local client store from there
Regarding remove-cert
can you post get-exchangecert output
don't use fl
ASKER
[PS] C:\Windows\system32>get-Ex changeCert ificate
Thumbprint Services Subject
---------- -------- -------
2CCBA5F5592FF75D225810F5FE 038BA91B63 E489 IP..S CN=DOHS-CENT-EX01.echou...
FAEB8CD5F1601C56EB18DAE463 DEF503DF8B 3598 IP.WS CN=DOHS-CENT-EX01
Thumbprint Services Subject
---------- -------- -------
2CCBA5F5592FF75D225810F5FE
FAEB8CD5F1601C56EB18DAE463
Hi,
FAEB8CD5F1601C56EB18DAE463 DEF503DF8B 3598 IP.WS CN=DOHS-CENT-EX01
is associated with web services owa.
sign below mentioned cert for web service
2CCBA5F5592FF75D225810F5FE 038BA91B63 E489 IP..S CN=DOHS-CENT-EX01.echou...
then try to remove it
FAEB8CD5F1601C56EB18DAE463
is associated with web services owa.
sign below mentioned cert for web service
2CCBA5F5592FF75D225810F5FE
then try to remove it
ASKER
Now how do i enable autodiscover for echousing.gov.za, because the minute i remove the one below, am left with this
[PS] C:\Windows\system32>Get-Ex changeCert ificate |fl
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule , System.Security.Acce
ssControl.CryptoKeyAccessR ule}
CertificateDomains : {DOHS-CENT-EX01, DOHS-CENT-EX01.echousing.g ov.za}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=DOHS-CENT-EX01
NotAfter : 2/25/2016 12:08:17 PM
NotBefore : 2/25/2011 12:08:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B105104DACAF9A044B74D6E05 79E9E5
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=DOHS-CENT-EX01
Thumbprint : FAEB8CD5F1601C56EB18DAE463 DEF503DF8B 3598
[PS] C:\Windows\system32>Get-Ex
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {DOHS-CENT-EX01, DOHS-CENT-EX01.echousing.g
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=DOHS-CENT-EX01
NotAfter : 2/25/2016 12:08:17 PM
NotBefore : 2/25/2011 12:08:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6B105104DACAF9A044B74D6E05
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=DOHS-CENT-EX01
Thumbprint : FAEB8CD5F1601C56EB18DAE463
ASKER
@ v-2nas am interested in the CA certificates that can be used to validate self signed certificate
For Autodiscover
http://technet.microsoft.com/en-us/library/aa998327%28EXCHG.80%29.aspx
IncludeAutoDiscover Optional System.Management.Automati on.SwitchP arameter
Use this parameter to add the prefix, "autodiscover" to each domain name that is generated for the resulting certificate. You can only specify this parameter when you are running this cmdlet on an Exchange Server That Has the Client Access server role installed. Note: This parameter will not add the "autodiscover" prefix if the domain name already contains the prefix.
Also check Services. [All in above link]
To Setup Trusted Internal Certificates in itself is another complete(little complex) topic. I would suggest you going through PKI [Public Key Infrastructure deployment guide] available at technet.microsoft.com
http://technet.microsoft.com/en-us/library/aa998327%28EXCHG.80%29.aspx
IncludeAutoDiscover Optional System.Management.Automati
Use this parameter to add the prefix, "autodiscover" to each domain name that is generated for the resulting certificate. You can only specify this parameter when you are running this cmdlet on an Exchange Server That Has the Client Access server role installed. Note: This parameter will not add the "autodiscover" prefix if the domain name already contains the prefix.
Also check Services. [All in above link]
To Setup Trusted Internal Certificates in itself is another complete(little complex) topic. I would suggest you going through PKI [Public Key Infrastructure deployment guide] available at technet.microsoft.com
ASKER
I managed to troubleshoot some more and i found that there was a CA server around that had crashed and all the machines are still getting this certificate from there.
Now how do i configure the Certificate Authority to manage exchange certificates ?
Now how do i configure the Certificate Authority to manage exchange certificates ?
ASKER
How to publish Exchange certificate VIA CA, since CA was installed after Exchange certificate had been issued
ASKER
I managed to figure it out, There was a server that was running CA before which had crashed, no one told me about it only when i was troubleshooting from the client side i saw the path that its originating from the server that had crashed. Exchange Server certificates are fine.
:) Good to know you got the culprit.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It must be coming from GPO, I haven't worked much with CA,
ASKER
THe root of the problem was a crashed CA server which we discovered from examining the user certificate path
Can you try the following utility for managing your SSL Certificate in Exchange 2007: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/
I also notice you don't have the autodiscover.echouse.co.za