Exchange 2007 Self Assigned Certificate expired

they don't want top spend the money. I am a rookie when it come to certificates.

$100 / year is not money come on !

well in all cases to renew the certificate you just need to run

new-exchangecertificate

please follow the steps in this URL
http://msexchangegeek.com/2009/04/24/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/

Well first you have to have a certificate server on your network.  If you have this then I can tell you how to create a certificate.  Its not that hard.

emadallan,

how do you export it as a pfx? don't I need to send all the clients the cert to install?

AclassPC,

Nope It is a single server that is the pdc and exchange server. Don't look at me I just took this network over and our systems admin left for iraq, I don't deal with windows machines often.

I already told you that you will need to resend it to all clients and it is NOT the pfx, if this is what you sent before you did a mistake since the pfx contains the PRIVATE key.

and that is why I told you to buy one.

Anyway after you renew your certificate you should first assign it to the IIS do you know how to do this ?


once you do this go to your exchange server -> start run mmc -> file add remove snapins and add certificates -> computer -> Local computer

in the Personal certificate store you will see the new certificate you have created right click all tasks on it and export it WITHOUT private key. it will give you a .cer file and this is the one you should send to your clients

I'm with Akhater - save yourself the time and hassle and spend $60 to buy a 1 year SAN / UCC certificate.

How much is your time worth to the company per hour and how much time have you spent trying to fix the problem already?

Is it more than $60?

If it is, your company is wasting time / money when you could have this solved in about 10 minutes of your time buying a 3rd party SSL certificate.

GoDaddy are about the cheapest place to buy Certs, but a GoDaddy reseller account is slightly cheaper :)

I've created a new certificate now, the mobile devices (iphone and ipad) are still having errors. Any suggestions with them?

Well the easiest way would be to purchase a certificate.  With the purchase of a cert from i.e Verisign or Thawte you wont have to send anything out to your users they will work instantly.  

Now if there are policies you have to follow I understand and we can proceed with creating a cert but you have to know where your Certificate server is.


Also can you click on that view cert button on the security message so we can see what type of cert you had?

Creating the certificate is NOT enough

did you assign it to the iis service using the enable-exchangecertificate ?

did you export it as I told you and sent it to the phone and installed it ?

If you have a self-issued certificate, it will need to be installed / trusted on each device.

Iphone and Ipads will work you will just get a cert error.  i think if you trust it once you wont see that error again.

just for clarification is the install process on the windows clients click on the cert, install, place all certificates in the following store, then what folder from there?

to install I wouldn't just double click

 start run mmc -> file add remove snapins and add certificates -> computer -> Local computer -> Trusted root CA -> right click all task import and improt the certificate here

Im dealing with users that will not want to run the mmc.

:) users should be importing certificates to start with but i won't go over this one again

the certificate should be in the LOCAL COMPUTER store in trusted root certiifcate authorities.

you know what, I'm with you guys for what like $50.00 for a 5/yr from servertastic

Not sure if Servertastic is going to sell you a SAN / UCC cert for 5 years for $50.00

you mean $50/year or / 5 years?

I'd double check if they can confirm it will work with exchange and if it is a SAN certificate first

sorry Alan, posted crossed

even if i am with the advice to work with third party cert.
here is how to configure self signed certt for mobile devices.
http://searchexchange.techtarget.com/tip/Adding-self-signed-root-certificates-to-Windows-mobile-devices

Yeah they all have ipad's and iphones, of course I dont use either.

@Akhater - no need for you to apologise.

Before I close this, why do you need a SAN certificate. BTW just want to thank all of you I have learned a ton today, I only ever touch the routers/switches/firewalls, I'm trying to expand into some systems administration as well.

What is a recommended site, do you recommend 1yr/2yr/3yr/etc?

Also can someone explain the difference between the SAN Cert and a wildcard cert? I'm assuming price. I'm tired of trying to explain to these yahoo's how easy this could be.

You need a SAN (Subject Alternative Name) certificate to cater for all the names you will need, both internal names and external names.

Exchange 2007 / 2010 has internal FQDN's and Internal FQDN's which can be set for most of the Exchange features and these need to be reflected in the Certificate.

They still dont want to spend the money on this, and the mobile devices are still having issues (ipad and iphone) any ideas on how to fix their errors?

They don't want to spend $60 to fix this for a year?

http://www.exchange-certificates.com/

(This is my GoDaddy Reseller Account by the way)

another new error today, wtf is going on.

same error same issue, buy the certificate and let's get done with this

I can't stress enough they don't want to spend money, I don't work in a cooperate environment where the company has money to shell out, they made a dumb purchase on this exchange server to begin with, part of the reason they fired their previous IT company. I can recommend all day long, they just will not spend it period.

What can I do other than what I have done so far, how do I get the error message off that just popped up?

If you want to fix the issues - buy a certificate.  It's as simple as that.

If your company does not want to spend the money, then tell them to live with the errors.

Does Out Of Office Work?

Does Activesync Work?

I don't think I have anything more to bring to this thread, I will stop watching it

Good luck

The Ipad and iphone use activesync, they are not working. Again why I need additional help without making them spend money, they are just being ridiculous about this, if they dont give in I may just fing purchase the cert myself. seriously $60.00 a year from Alan seems like a deal just to get this off my back.

It's about the cheapest place around (apart from other GoDaddy Reseller Cert Sites).

$59.99 will sort the issue for a year (with the names I specified earlier) and then you can point out to your company that $60 fixed the problem and next year when it runs out again and it takes 3 days of haggling over $60 they might realise how short-sighted they are being.

you are totally right and that's what we have been trying to tell you since the start

AGAIN, I have already told them the time I've spent on this could have been avoided with $60.00. THEY DO NO LISTEN.

Leave it a few more days.  See how long it takes them before they change their mind.

Alan,

how do I go about purchasing this from your site, it appears the paypal link is broken, do I just purchase the 1 year up to 5 domains? do I need to do anything else? do I get install instructions etc?

I can talk you through it if you get stuck at any stage.

You basically purchase a Multiple Domain UCC Certificate (up to 5) for however long you want to buy it for, which buys you a certificate credit.

Once purchased, you then need to generate the Certificate Signing Request on the server.

Once you have the CSR, you go back to the site, use the credit and then manage the certificate.

When managing the cert, you request a cert, copy/paste the contents of the CSR into the request, then the registered Domain Administrator approves the certificate (via email) and then the cert is issued.

You then download the cert, import it, enable it and job done.

is there instructions for the CSR generation on the server, Im on that part now.

I tend to use the following tool:

https://www.digicert.com/easy-csr/exchange2007.htm

Fill in the required details, then copy / paste the output from this site into the Exchange Management Shell to produce the CSR.

mail.domain.com would b e the common?
after that in the Alternate names I would have:

autodiscover,domain.com
exchangeservername.domain.local
exchangeservername

sorry don't want to mess this up.

Yep - that's correct.

should I add a -path c:\certrequestname.txt to the end of it?

You can - that's just where it will write the CSR file to and the name it will use.  You can change the location and name to suit - the name of the file can be anything you like.

If you look at the generated CSR code, the path and name is already included.

ok I went used the credit, clicked on manage and it took me to another site, i dont see a place where I can place my .txt file contents

Click on the bottom link on the left which I think is credits where you should see a credit.  If not - hit refresh until it appears.

it appeared, do I click on the request certificate link?

Yes - then you can copy/paste the contents of the CSR into the request and process the request on the site.  Then you have to sit and wait.

Does the email address for the admin contact on the domain point somewhere you have control over, or is it someone you know?

Im sitting and waiting

no idea where the admin contact on the domain points tbh.

Visit http://www.whois.com/ and check.

ok I know the person as the contact.

The person who is the admin contact should receive an email or two and they will need to approve those before the certificate will be issued.

If you get stuck anywhere once the cert is installed or something isn't working, please let us know.

Night night :)

(Don't think I deserve all the points here - would have been happy with a split)

Alan has been of great help but my answer was correct since the first reply to this thread so I guess a point split would have been more adequate

thanks Alan :D

sorry Akhater,

Thanks to both of you.

One last question, I have the new cert installed and active. what do I need to do with the old self assigned one.

You can delete it or leave it be.  As it has expired and should no longer be used for anything because the new certificate is installed and configured, then either is fine.

Is everything working happily now?

still waiting to see, I'm thinking its all happy now.

Good news - is the company happy and have you got your money back from them yet or do you not anticipate that happening this side of your 100th birthday?