Exchange 2007 Self Assigned Certificate expired

Hello,

Recently (last week) our Exchange Certificate expired on our server, the prvious technician had created a new one and emailed everyone a .pfx file so that they could install it on each of their clients.

Question is now, how do I go about doing this, I know I will need to use the exchange management shell but its been a long time for me on exchange.

Also of one other note, All mobile device have stopped working as well? Is this due to the certificate or something else? I didn't think a Self Assigned Certificate worked with Active Sync to begin with?

Attached is a screenshot from users computers. cert error on outlook clients
BluJAsked:
Who is Participating?
 
AkhaterConnect With a Mentor Commented:
the best advise i can give you is to buy a 3rd party certificate once and for all, or else you will need to send the cetificate a again to all clients and let them install it again etc... a big headache if you ask me
0
 
BluJAuthor Commented:
they don't want top spend the money. I am a rookie when it come to certificates.
0
 
AkhaterCommented:
$100 / year is not money come on !

well in all cases to renew the certificate you just need to run

new-exchangecertificate
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Roy SimsCommented:
Well first you have to have a certificate server on your network.  If you have this then I can tell you how to create a certificate.  Its not that hard.
0
 
BluJAuthor Commented:
emadallan,

how do you export it as a pfx? don't I need to send all the clients the cert to install?

AclassPC,

Nope It is a single server that is the pdc and exchange server. Don't look at me I just took this network over and our systems admin left for iraq, I don't deal with windows machines often.
0
 
AkhaterCommented:
I already told you that you will need to resend it to all clients and it is NOT the pfx, if this is what you sent before you did a mistake since the pfx contains the PRIVATE key.

and that is why I told you to buy one.

Anyway after you renew your certificate you should first assign it to the IIS do you know how to do this ?


once you do this go to your exchange server -> start run mmc -> file add remove snapins and add certificates -> computer -> Local computer

in the Personal certificate store you will see the new certificate you have created right click all tasks on it and export it WITHOUT private key. it will give you a .cer file and this is the one you should send to your clients
0
 
Alan HardistyCo-OwnerCommented:
I'm with Akhater - save yourself the time and hassle and spend $60 to buy a 1 year SAN / UCC certificate.

How much is your time worth to the company per hour and how much time have you spent trying to fix the problem already?

Is it more than $60?

If it is, your company is wasting time / money when you could have this solved in about 10 minutes of your time buying a 3rd party SSL certificate.

GoDaddy are about the cheapest place to buy Certs, but a GoDaddy reseller account is slightly cheaper :)
0
 
BluJAuthor Commented:
I've created a new certificate now, the mobile devices (iphone and ipad) are still having errors. Any suggestions with them?
0
 
Roy SimsCommented:
Well the easiest way would be to purchase a certificate.  With the purchase of a cert from i.e Verisign or Thawte you wont have to send anything out to your users they will work instantly.  

Now if there are policies you have to follow I understand and we can proceed with creating a cert but you have to know where your Certificate server is.


Also can you click on that view cert button on the security message so we can see what type of cert you had?
0
 
AkhaterCommented:
Creating the certificate is NOT enough

did you assign it to the iis service using the enable-exchangecertificate ?

did you export it as I told you and sent it to the phone and installed it ?
0
 
Alan HardistyCo-OwnerCommented:
If you have a self-issued certificate, it will need to be installed / trusted on each device.
0
 
Roy SimsCommented:
Iphone and Ipads will work you will just get a cert error.  i think if you trust it once you wont see that error again.
0
 
BluJAuthor Commented:
just for clarification is the install process on the windows clients click on the cert, install, place all certificates in the following store, then what folder from there?
0
 
AkhaterCommented:
to install I wouldn't just double click

 start run mmc -> file add remove snapins and add certificates -> computer -> Local computer -> Trusted root CA -> right click all task import and improt the certificate here
0
 
BluJAuthor Commented:
Im dealing with users that will not want to run the mmc.
0
 
AkhaterCommented:
:) users should be importing certificates to start with but i won't go over this one again

the certificate should be in the LOCAL COMPUTER store in trusted root certiifcate authorities.
0
 
BluJAuthor Commented:
you know what, I'm with you guys for what like $50.00 for a 5/yr from servertastic
0
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
If you buy one - make sure you include the following names:

mail.externaldomain.com (or whatever you prefer)
autodiscover.externaldomain.com
internalservername.internaldomainname.local
internalservername

If you do that - everything should work happily and no cert issues :)
0
 
Alan HardistyCo-OwnerCommented:
Not sure if Servertastic is going to sell you a SAN / UCC cert for 5 years for $50.00
0
 
AkhaterCommented:
you mean $50/year or / 5 years?

I'd double check if they can confirm it will work with exchange and if it is a SAN certificate first
0
 
AkhaterCommented:
sorry Alan, posted crossed
0
 
emadallanCommented:
even if i am with the advice to work with third party cert.
here is how to configure self signed certt for mobile devices.
http://searchexchange.techtarget.com/tip/Adding-self-signed-root-certificates-to-Windows-mobile-devices
0
 
BluJAuthor Commented:
Yeah they all have ipad's and iphones, of course I dont use either.
0
 
Alan HardistyCo-OwnerCommented:
@Akhater - no need for you to apologise.
0
 
BluJAuthor Commented:
Before I close this, why do you need a SAN certificate. BTW just want to thank all of you I have learned a ton today, I only ever touch the routers/switches/firewalls, I'm trying to expand into some systems administration as well.

What is a recommended site, do you recommend 1yr/2yr/3yr/etc?

Also can someone explain the difference between the SAN Cert and a wildcard cert? I'm assuming price. I'm tired of trying to explain to these yahoo's how easy this could be.
0
 
Alan HardistyCo-OwnerCommented:
You need a SAN (Subject Alternative Name) certificate to cater for all the names you will need, both internal names and external names.

Exchange 2007 / 2010 has internal FQDN's and Internal FQDN's which can be set for most of the Exchange features and these need to be reflected in the Certificate.
0
 
BluJAuthor Commented:
They still dont want to spend the money on this, and the mobile devices are still having issues (ipad and iphone) any ideas on how to fix their errors?
0
 
Alan HardistyCo-OwnerCommented:
They don't want to spend $60 to fix this for a year?

http://www.exchange-certificates.com/

(This is my GoDaddy Reseller Account by the way)
0
 
BluJAuthor Commented:
another new error today, wtf is going on. aytodisc
0
 
AkhaterCommented:
same error same issue, buy the certificate and let's get done with this
0
 
BluJAuthor Commented:
I can't stress enough they don't want to spend money, I don't work in a cooperate environment where the company has money to shell out, they made a dumb purchase on this exchange server to begin with, part of the reason they fired their previous IT company. I can recommend all day long, they just will not spend it period.

What can I do other than what I have done so far, how do I get the error message off that just popped up?
0
 
Alan HardistyCo-OwnerCommented:
If you want to fix the issues - buy a certificate.  It's as simple as that.

If your company does not want to spend the money, then tell them to live with the errors.

Does Out Of Office Work?

Does Activesync Work?
0
 
AkhaterCommented:
I don't think I have anything more to bring to this thread, I will stop watching it

Good luck
0
 
BluJAuthor Commented:
The Ipad and iphone use activesync, they are not working. Again why I need additional help without making them spend money, they are just being ridiculous about this, if they dont give in I may just fing purchase the cert myself. seriously $60.00 a year from Alan seems like a deal just to get this off my back.
0
 
Alan HardistyCo-OwnerCommented:
It's about the cheapest place around (apart from other GoDaddy Reseller Cert Sites).

$59.99 will sort the issue for a year (with the names I specified earlier) and then you can point out to your company that $60 fixed the problem and next year when it runs out again and it takes 3 days of haggling over $60 they might realise how short-sighted they are being.
0
 
AkhaterCommented:
you are totally right and that's what we have been trying to tell you since the start
0
 
BluJAuthor Commented:
AGAIN, I have already told them the time I've spent on this could have been avoided with $60.00. THEY DO NO LISTEN.
0
 
Alan HardistyCo-OwnerCommented:
Leave it a few more days.  See how long it takes them before they change their mind.
0
 
BluJAuthor Commented:
Alan,

how do I go about purchasing this from your site, it appears the paypal link is broken, do I just purchase the 1 year up to 5 domains? do I need to do anything else? do I get install instructions etc?
0
 
Alan HardistyCo-OwnerCommented:
I can talk you through it if you get stuck at any stage.

You basically purchase a Multiple Domain UCC Certificate (up to 5) for however long you want to buy it for, which buys you a certificate credit.

Once purchased, you then need to generate the Certificate Signing Request on the server.

Once you have the CSR, you go back to the site, use the credit and then manage the certificate.

When managing the cert, you request a cert, copy/paste the contents of the CSR into the request, then the registered Domain Administrator approves the certificate (via email) and then the cert is issued.

You then download the cert, import it, enable it and job done.
0
 
BluJAuthor Commented:
is there instructions for the CSR generation on the server, Im on that part now.
0
 
Alan HardistyCo-OwnerCommented:
I tend to use the following tool:

https://www.digicert.com/easy-csr/exchange2007.htm

Fill in the required details, then copy / paste the output from this site into the Exchange Management Shell to produce the CSR.
0
 
BluJAuthor Commented:
mail.domain.com would b e the common?
after that in the Alternate names I would have:

autodiscover,domain.com
exchangeservername.domain.local
exchangeservername

sorry don't want to mess this up.
0
 
Alan HardistyCo-OwnerCommented:
Yep - that's correct.
0
 
BluJAuthor Commented:
should I add a -path c:\certrequestname.txt to the end of it?
0
 
Alan HardistyCo-OwnerCommented:
You can - that's just where it will write the CSR file to and the name it will use.  You can change the location and name to suit - the name of the file can be anything you like.
0
 
Alan HardistyCo-OwnerCommented:
If you look at the generated CSR code, the path and name is already included.
0
 
BluJAuthor Commented:
ok I went used the credit, clicked on manage and it took me to another site, i dont see a place where I can place my .txt file contents
0
 
Alan HardistyCo-OwnerCommented:
Click on the bottom link on the left which I think is credits where you should see a credit.  If not - hit refresh until it appears.
0
 
BluJAuthor Commented:
it appeared, do I click on the request certificate link?
0
 
Alan HardistyCo-OwnerCommented:
Yes - then you can copy/paste the contents of the CSR into the request and process the request on the site.  Then you have to sit and wait.

Does the email address for the admin contact on the domain point somewhere you have control over, or is it someone you know?
0
 
BluJAuthor Commented:
Im sitting and waiting

no idea where the admin contact on the domain points tbh.
0
 
Alan HardistyCo-OwnerCommented:
Visit http://www.whois.com/ and check.
0
 
BluJAuthor Commented:
ok I know the person as the contact.
0
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
I'm heading to bed now - 2:00am for me.

Next steps once you have approved the cert and downloaded it (all done in the Exchange Management Shell):

Import-ExchangeCertificate -Path c:\certificates\import.p7b

Get-exchangecertificate

(Copy / paste the Thumbprint and replace it in the command below

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services "POP, IMAP,SMTP,IIS"

Change the items in bold accordingly.  The cert name you will have will be similar to mail.domain.com.crt, so just copy that to the root of c: and modify the import-exchangecertificate command accordingly.
0
 
Alan HardistyCo-OwnerCommented:
The person who is the admin contact should receive an email or two and they will need to approve those before the certificate will be issued.
0
 
Alan HardistyCo-OwnerCommented:
If you get stuck anywhere once the cert is installed or something isn't working, please let us know.

Night night :)

(Don't think I deserve all the points here - would have been happy with a split)
0
 
AkhaterCommented:
Alan has been of great help but my answer was correct since the first reply to this thread so I guess a point split would have been more adequate

0
 
AkhaterCommented:
thanks Alan :D
0
 
BluJAuthor Commented:
sorry Akhater,

Thanks to both of you.

One last question, I have the new cert installed and active. what do I need to do with the old self assigned one.
0
 
Alan HardistyCo-OwnerCommented:
You can delete it or leave it be.  As it has expired and should no longer be used for anything because the new certificate is installed and configured, then either is fine.

Is everything working happily now?
0
 
BluJAuthor Commented:
still waiting to see, I'm thinking its all happy now.
0
 
Alan HardistyCo-OwnerCommented:
Good news - is the company happy and have you got your money back from them yet or do you not anticipate that happening this side of your 100th birthday?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.