Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Self Signed Certificate Expired in Exchange 2007

Posted on 2012-04-11
3
Medium Priority
?
714 Views
Last Modified: 2012-08-07
I have a server running SBS 2008 and my self signed certificate recently expired and I am trying to create a new one with the same names and parameters.  I am close but I still get the security warning when I go into Outlook .  The first 2 messages about a trusted source and valid cert have green check marks, but the third has the red X which says "The name on the security certificate is invalid or does not match the name of the site"  When it first expired, the first and 3rd had green checks and the middle was a red X.

The original certificate looks like this:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.cowleyco.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVERSBS-CA
NotAfter           : 4/9/2012 11:03:05 PM
NotBefore          : 4/10/2010 11:03:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6107601F000000000002
Services           : IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 3A40859109A168475AC51DD529030A3577A0934F

Then from the mgmt shell I am typing the line below to create my new cert:

new-exchangecertificate -subjectname "CN=Sites" -domainname "SERVERSBS.mydomain.local" -includeaccepteddomains -includeautodiscover

And this yielded the following:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.mydomain.local, mydomain.local, mydomain
                     .com, autodiscover.mydomain.local, autodiscover.mydomain.c
                     om}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 4/11/2013 8:03:22 AM
NotBefore          : 4/11/2012 8:03:22 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 12FAA5485D315A8B4D72E830AB356801
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : A3FC1A8870F0BDDE267E74F3C1D2A0877148D38C

Now within oultlook clients, they connect to SERVERSBS.mydomain.local, so how do I change what I am typing to get the new cert to match the name of the old cert or at least get rid of the error.

Thanks

TJ
0
Comment
Question by:tjwib29
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37833494
please see below link to renew self sign certificate
http://forums.msexchange.org/m_1800490079/mpage_1/key_/tm.htm#1800490079
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37833527
You should never have to do this. Did you use the wizard to renew your Add a Trusted Certificate. Then setup an SRV record in your DNS and that is all you should need.

http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/
0
 
LVL 9

Accepted Solution

by:
Aeriden earned 1500 total points
ID: 37833534
Here is what I do...

Issue a
  Get-ExchangeCertificate -domain "SERVERSBS.mydomain.local" | fl  
Note the thumbprint for the self-signed certificate

Then I issue
  Get-ExchangeCertificate -thumbprint "<your self-signed thumbprint>" | New-ExchangeCertificate  
Type Y to overwrite the existing certificate.  A new thumbprint will be generated for the replacement certificate.

Issue
  Get-ExchangeCertificate -thumbprint "<new thumbprint>" | fl

The new certificate generated is sometimes only enabled for POP, IMAP, and SMTP.  To enable IIS support, issue the following:
  Enable-ExchangeCertificate -thumbprint "<new thumbprint>" -services IIS

You can use Remove-ExchangeCertificate to remove unwanted certificates (such as the one you just created).

I hope this gives you ideas for your environment.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question