?
Solved

Exchange 2007 Self Assigned Certificate expired

Posted on 2011-10-03
65
Medium Priority
?
473 Views
Last Modified: 2012-08-14
Hello,

Recently (last week) our Exchange Certificate expired on our server, the prvious technician had created a new one and emailed everyone a .pfx file so that they could install it on each of their clients.

Question is now, how do I go about doing this, I know I will need to use the exchange management shell but its been a long time for me on exchange.

Also of one other note, All mobile device have stopped working as well? Is this due to the certificate or something else? I didn't think a Self Assigned Certificate worked with Active Sync to begin with?

Attached is a screenshot from users computers. cert error on outlook clients
0
Comment
Question by:BluJ
  • 23
  • 23
  • 13
  • +2
64 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 1000 total points
ID: 36903214
the best advise i can give you is to buy a 3rd party certificate once and for all, or else you will need to send the cetificate a again to all clients and let them install it again etc... a big headache if you ask me
0
 

Author Comment

by:BluJ
ID: 36903224
they don't want top spend the money. I am a rookie when it come to certificates.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36903234
$100 / year is not money come on !

well in all cases to renew the certificate you just need to run

new-exchangecertificate
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 6

Expert Comment

by:emadallan
ID: 36903313
0
 
LVL 3

Expert Comment

by:Roy Sims
ID: 36903342
Well first you have to have a certificate server on your network.  If you have this then I can tell you how to create a certificate.  Its not that hard.
0
 

Author Comment

by:BluJ
ID: 36903367
emadallan,

how do you export it as a pfx? don't I need to send all the clients the cert to install?

AclassPC,

Nope It is a single server that is the pdc and exchange server. Don't look at me I just took this network over and our systems admin left for iraq, I don't deal with windows machines often.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36903393
I already told you that you will need to resend it to all clients and it is NOT the pfx, if this is what you sent before you did a mistake since the pfx contains the PRIVATE key.

and that is why I told you to buy one.

Anyway after you renew your certificate you should first assign it to the IIS do you know how to do this ?


once you do this go to your exchange server -> start run mmc -> file add remove snapins and add certificates -> computer -> Local computer

in the Personal certificate store you will see the new certificate you have created right click all tasks on it and export it WITHOUT private key. it will give you a .cer file and this is the one you should send to your clients
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36903441
I'm with Akhater - save yourself the time and hassle and spend $60 to buy a 1 year SAN / UCC certificate.

How much is your time worth to the company per hour and how much time have you spent trying to fix the problem already?

Is it more than $60?

If it is, your company is wasting time / money when you could have this solved in about 10 minutes of your time buying a 3rd party SSL certificate.

GoDaddy are about the cheapest place to buy Certs, but a GoDaddy reseller account is slightly cheaper :)
0
 

Author Comment

by:BluJ
ID: 36903453
I've created a new certificate now, the mobile devices (iphone and ipad) are still having errors. Any suggestions with them?
0
 
LVL 3

Expert Comment

by:Roy Sims
ID: 36903469
Well the easiest way would be to purchase a certificate.  With the purchase of a cert from i.e Verisign or Thawte you wont have to send anything out to your users they will work instantly.  

Now if there are policies you have to follow I understand and we can proceed with creating a cert but you have to know where your Certificate server is.


Also can you click on that view cert button on the security message so we can see what type of cert you had?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36903473
Creating the certificate is NOT enough

did you assign it to the iis service using the enable-exchangecertificate ?

did you export it as I told you and sent it to the phone and installed it ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36903479
If you have a self-issued certificate, it will need to be installed / trusted on each device.
0
 
LVL 3

Expert Comment

by:Roy Sims
ID: 36903489
Iphone and Ipads will work you will just get a cert error.  i think if you trust it once you wont see that error again.
0
 

Author Comment

by:BluJ
ID: 36903571
just for clarification is the install process on the windows clients click on the cert, install, place all certificates in the following store, then what folder from there?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36903591
to install I wouldn't just double click

 start run mmc -> file add remove snapins and add certificates -> computer -> Local computer -> Trusted root CA -> right click all task import and improt the certificate here
0
 

Author Comment

by:BluJ
ID: 36903613
Im dealing with users that will not want to run the mmc.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36903627
:) users should be importing certificates to start with but i won't go over this one again

the certificate should be in the LOCAL COMPUTER store in trusted root certiifcate authorities.
0
 

Author Comment

by:BluJ
ID: 36903701
you know what, I'm with you guys for what like $50.00 for a 5/yr from servertastic
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1000 total points
ID: 36903752
If you buy one - make sure you include the following names:

mail.externaldomain.com (or whatever you prefer)
autodiscover.externaldomain.com
internalservername.internaldomainname.local
internalservername

If you do that - everything should work happily and no cert issues :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36903761
Not sure if Servertastic is going to sell you a SAN / UCC cert for 5 years for $50.00
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36903769
you mean $50/year or / 5 years?

I'd double check if they can confirm it will work with exchange and if it is a SAN certificate first
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36903770
sorry Alan, posted crossed
0
 
LVL 6

Expert Comment

by:emadallan
ID: 36903797
even if i am with the advice to work with third party cert.
here is how to configure self signed certt for mobile devices.
http://searchexchange.techtarget.com/tip/Adding-self-signed-root-certificates-to-Windows-mobile-devices
0
 

Author Comment

by:BluJ
ID: 36903927
Yeah they all have ipad's and iphones, of course I dont use either.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36903946
@Akhater - no need for you to apologise.
0
 

Author Comment

by:BluJ
ID: 36906111
Before I close this, why do you need a SAN certificate. BTW just want to thank all of you I have learned a ton today, I only ever touch the routers/switches/firewalls, I'm trying to expand into some systems administration as well.

What is a recommended site, do you recommend 1yr/2yr/3yr/etc?

Also can someone explain the difference between the SAN Cert and a wildcard cert? I'm assuming price. I'm tired of trying to explain to these yahoo's how easy this could be.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36906126
You need a SAN (Subject Alternative Name) certificate to cater for all the names you will need, both internal names and external names.

Exchange 2007 / 2010 has internal FQDN's and Internal FQDN's which can be set for most of the Exchange features and these need to be reflected in the Certificate.
0
 

Author Comment

by:BluJ
ID: 36917446
They still dont want to spend the money on this, and the mobile devices are still having issues (ipad and iphone) any ideas on how to fix their errors?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36918119
They don't want to spend $60 to fix this for a year?

http://www.exchange-certificates.com/

(This is my GoDaddy Reseller Account by the way)
0
 

Author Comment

by:BluJ
ID: 36925894
another new error today, wtf is going on. aytodisc
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36927048
same error same issue, buy the certificate and let's get done with this
0
 

Author Comment

by:BluJ
ID: 36927495
I can't stress enough they don't want to spend money, I don't work in a cooperate environment where the company has money to shell out, they made a dumb purchase on this exchange server to begin with, part of the reason they fired their previous IT company. I can recommend all day long, they just will not spend it period.

What can I do other than what I have done so far, how do I get the error message off that just popped up?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36927567
If you want to fix the issues - buy a certificate.  It's as simple as that.

If your company does not want to spend the money, then tell them to live with the errors.

Does Out Of Office Work?

Does Activesync Work?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36927573
I don't think I have anything more to bring to this thread, I will stop watching it

Good luck
0
 

Author Comment

by:BluJ
ID: 36927829
The Ipad and iphone use activesync, they are not working. Again why I need additional help without making them spend money, they are just being ridiculous about this, if they dont give in I may just fing purchase the cert myself. seriously $60.00 a year from Alan seems like a deal just to get this off my back.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36927840
It's about the cheapest place around (apart from other GoDaddy Reseller Cert Sites).

$59.99 will sort the issue for a year (with the names I specified earlier) and then you can point out to your company that $60 fixed the problem and next year when it runs out again and it takes 3 days of haggling over $60 they might realise how short-sighted they are being.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36927846
you are totally right and that's what we have been trying to tell you since the start
0
 

Author Comment

by:BluJ
ID: 36927999
AGAIN, I have already told them the time I've spent on this could have been avoided with $60.00. THEY DO NO LISTEN.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928011
Leave it a few more days.  See how long it takes them before they change their mind.
0
 

Author Comment

by:BluJ
ID: 36928016
Alan,

how do I go about purchasing this from your site, it appears the paypal link is broken, do I just purchase the 1 year up to 5 domains? do I need to do anything else? do I get install instructions etc?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928040
I can talk you through it if you get stuck at any stage.

You basically purchase a Multiple Domain UCC Certificate (up to 5) for however long you want to buy it for, which buys you a certificate credit.

Once purchased, you then need to generate the Certificate Signing Request on the server.

Once you have the CSR, you go back to the site, use the credit and then manage the certificate.

When managing the cert, you request a cert, copy/paste the contents of the CSR into the request, then the registered Domain Administrator approves the certificate (via email) and then the cert is issued.

You then download the cert, import it, enable it and job done.
0
 

Author Comment

by:BluJ
ID: 36928197
is there instructions for the CSR generation on the server, Im on that part now.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928206
I tend to use the following tool:

https://www.digicert.com/easy-csr/exchange2007.htm

Fill in the required details, then copy / paste the output from this site into the Exchange Management Shell to produce the CSR.
0
 

Author Comment

by:BluJ
ID: 36928220
mail.domain.com would b e the common?
after that in the Alternate names I would have:

autodiscover,domain.com
exchangeservername.domain.local
exchangeservername

sorry don't want to mess this up.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928222
Yep - that's correct.
0
 

Author Comment

by:BluJ
ID: 36928224
should I add a -path c:\certrequestname.txt to the end of it?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928230
You can - that's just where it will write the CSR file to and the name it will use.  You can change the location and name to suit - the name of the file can be anything you like.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928239
If you look at the generated CSR code, the path and name is already included.
0
 

Author Comment

by:BluJ
ID: 36928242
ok I went used the credit, clicked on manage and it took me to another site, i dont see a place where I can place my .txt file contents
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928244
Click on the bottom link on the left which I think is credits where you should see a credit.  If not - hit refresh until it appears.
0
 

Author Comment

by:BluJ
ID: 36928247
it appeared, do I click on the request certificate link?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928251
Yes - then you can copy/paste the contents of the CSR into the request and process the request on the site.  Then you have to sit and wait.

Does the email address for the admin contact on the domain point somewhere you have control over, or is it someone you know?
0
 

Author Comment

by:BluJ
ID: 36928260
Im sitting and waiting

no idea where the admin contact on the domain points tbh.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928263
Visit http://www.whois.com/ and check.
0
 

Author Comment

by:BluJ
ID: 36928275
ok I know the person as the contact.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1000 total points
ID: 36928283
I'm heading to bed now - 2:00am for me.

Next steps once you have approved the cert and downloaded it (all done in the Exchange Management Shell):

Import-ExchangeCertificate -Path c:\certificates\import.p7b

Get-exchangecertificate

(Copy / paste the Thumbprint and replace it in the command below

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services "POP, IMAP,SMTP,IIS"

Change the items in bold accordingly.  The cert name you will have will be similar to mail.domain.com.crt, so just copy that to the root of c: and modify the import-exchangecertificate command accordingly.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928285
The person who is the admin contact should receive an email or two and they will need to approve those before the certificate will be issued.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36928289
If you get stuck anywhere once the cert is installed or something isn't working, please let us know.

Night night :)

(Don't think I deserve all the points here - would have been happy with a split)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36929899
Alan has been of great help but my answer was correct since the first reply to this thread so I guess a point split would have been more adequate

0
 
LVL 49

Expert Comment

by:Akhater
ID: 36930106
thanks Alan :D
0
 

Author Comment

by:BluJ
ID: 36931989
sorry Akhater,

Thanks to both of you.

One last question, I have the new cert installed and active. what do I need to do with the old self assigned one.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36932782
You can delete it or leave it be.  As it has expired and should no longer be used for anything because the new certificate is installed and configured, then either is fine.

Is everything working happily now?
0
 

Author Comment

by:BluJ
ID: 36933014
still waiting to see, I'm thinking its all happy now.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36933185
Good news - is the company happy and have you got your money back from them yet or do you not anticipate that happening this side of your 100th birthday?
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question