Solved

Self Signed Certificate Expired in Exchange 2007

Posted on 2012-04-11
3
701 Views
Last Modified: 2012-08-07
I have a server running SBS 2008 and my self signed certificate recently expired and I am trying to create a new one with the same names and parameters.  I am close but I still get the security warning when I go into Outlook .  The first 2 messages about a trusted source and valid cert have green check marks, but the third has the red X which says "The name on the security certificate is invalid or does not match the name of the site"  When it first expired, the first and 3rd had green checks and the middle was a red X.

The original certificate looks like this:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.cowleyco.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVERSBS-CA
NotAfter           : 4/9/2012 11:03:05 PM
NotBefore          : 4/10/2010 11:03:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6107601F000000000002
Services           : IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 3A40859109A168475AC51DD529030A3577A0934F

Then from the mgmt shell I am typing the line below to create my new cert:

new-exchangecertificate -subjectname "CN=Sites" -domainname "SERVERSBS.mydomain.local" -includeaccepteddomains -includeautodiscover

And this yielded the following:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.mydomain.local, mydomain.local, mydomain
                     .com, autodiscover.mydomain.local, autodiscover.mydomain.c
                     om}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 4/11/2013 8:03:22 AM
NotBefore          : 4/11/2012 8:03:22 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 12FAA5485D315A8B4D72E830AB356801
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : A3FC1A8870F0BDDE267E74F3C1D2A0877148D38C

Now within oultlook clients, they connect to SERVERSBS.mydomain.local, so how do I change what I am typing to get the new cert to match the name of the old cert or at least get rid of the error.

Thanks

TJ
0
Comment
Question by:tjwib29
3 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37833494
please see below link to renew self sign certificate
http://forums.msexchange.org/m_1800490079/mpage_1/key_/tm.htm#1800490079
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37833527
You should never have to do this. Did you use the wizard to renew your Add a Trusted Certificate. Then setup an SRV record in your DNS and that is all you should need.

http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/
0
 
LVL 9

Accepted Solution

by:
Aeriden earned 500 total points
ID: 37833534
Here is what I do...

Issue a
  Get-ExchangeCertificate -domain "SERVERSBS.mydomain.local" | fl  
Note the thumbprint for the self-signed certificate

Then I issue
  Get-ExchangeCertificate -thumbprint "<your self-signed thumbprint>" | New-ExchangeCertificate  
Type Y to overwrite the existing certificate.  A new thumbprint will be generated for the replacement certificate.

Issue
  Get-ExchangeCertificate -thumbprint "<new thumbprint>" | fl

The new certificate generated is sometimes only enabled for POP, IMAP, and SMTP.  To enable IIS support, issue the following:
  Enable-ExchangeCertificate -thumbprint "<new thumbprint>" -services IIS

You can use Remove-ExchangeCertificate to remove unwanted certificates (such as the one you just created).

I hope this gives you ideas for your environment.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't know how to downgrade, my instructions below should be helpful.
Find out what you should include to make the best professional email signature for your organization.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question