Solved

Self Signed Certificate Expired in Exchange 2007

Posted on 2012-04-11
3
698 Views
Last Modified: 2012-08-07
I have a server running SBS 2008 and my self signed certificate recently expired and I am trying to create a new one with the same names and parameters.  I am close but I still get the security warning when I go into Outlook .  The first 2 messages about a trusted source and valid cert have green check marks, but the third has the red X which says "The name on the security certificate is invalid or does not match the name of the site"  When it first expired, the first and 3rd had green checks and the middle was a red X.

The original certificate looks like this:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.cowleyco.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVERSBS-CA
NotAfter           : 4/9/2012 11:03:05 PM
NotBefore          : 4/10/2010 11:03:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6107601F000000000002
Services           : IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 3A40859109A168475AC51DD529030A3577A0934F

Then from the mgmt shell I am typing the line below to create my new cert:

new-exchangecertificate -subjectname "CN=Sites" -domainname "SERVERSBS.mydomain.local" -includeaccepteddomains -includeautodiscover

And this yielded the following:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.mydomain.local, mydomain.local, mydomain
                     .com, autodiscover.mydomain.local, autodiscover.mydomain.c
                     om}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 4/11/2013 8:03:22 AM
NotBefore          : 4/11/2012 8:03:22 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 12FAA5485D315A8B4D72E830AB356801
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : A3FC1A8870F0BDDE267E74F3C1D2A0877148D38C

Now within oultlook clients, they connect to SERVERSBS.mydomain.local, so how do I change what I am typing to get the new cert to match the name of the old cert or at least get rid of the error.

Thanks

TJ
0
Comment
Question by:tjwib29
3 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
please see below link to renew self sign certificate
http://forums.msexchange.org/m_1800490079/mpage_1/key_/tm.htm#1800490079
0
 
LVL 14

Expert Comment

by:RickEpnet
Comment Utility
You should never have to do this. Did you use the wizard to renew your Add a Trusted Certificate. Then setup an SRV record in your DNS and that is all you should need.

http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/
0
 
LVL 9

Accepted Solution

by:
Aeriden earned 500 total points
Comment Utility
Here is what I do...

Issue a
  Get-ExchangeCertificate -domain "SERVERSBS.mydomain.local" | fl  
Note the thumbprint for the self-signed certificate

Then I issue
  Get-ExchangeCertificate -thumbprint "<your self-signed thumbprint>" | New-ExchangeCertificate  
Type Y to overwrite the existing certificate.  A new thumbprint will be generated for the replacement certificate.

Issue
  Get-ExchangeCertificate -thumbprint "<new thumbprint>" | fl

The new certificate generated is sometimes only enabled for POP, IMAP, and SMTP.  To enable IIS support, issue the following:
  Enable-ExchangeCertificate -thumbprint "<new thumbprint>" -services IIS

You can use Remove-ExchangeCertificate to remove unwanted certificates (such as the one you just created).

I hope this gives you ideas for your environment.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now