Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Self Signed Certificate Expired in Exchange 2007

Posted on 2012-04-11
3
Medium Priority
?
717 Views
Last Modified: 2012-08-07
I have a server running SBS 2008 and my self signed certificate recently expired and I am trying to create a new one with the same names and parameters.  I am close but I still get the security warning when I go into Outlook .  The first 2 messages about a trusted source and valid cert have green check marks, but the third has the red X which says "The name on the security certificate is invalid or does not match the name of the site"  When it first expired, the first and 3rd had green checks and the middle was a red X.

The original certificate looks like this:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.cowleyco.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVERSBS-CA
NotAfter           : 4/9/2012 11:03:05 PM
NotBefore          : 4/10/2010 11:03:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6107601F000000000002
Services           : IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 3A40859109A168475AC51DD529030A3577A0934F

Then from the mgmt shell I am typing the line below to create my new cert:

new-exchangecertificate -subjectname "CN=Sites" -domainname "SERVERSBS.mydomain.local" -includeaccepteddomains -includeautodiscover

And this yielded the following:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.mydomain.local, mydomain.local, mydomain
                     .com, autodiscover.mydomain.local, autodiscover.mydomain.c
                     om}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 4/11/2013 8:03:22 AM
NotBefore          : 4/11/2012 8:03:22 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 12FAA5485D315A8B4D72E830AB356801
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : A3FC1A8870F0BDDE267E74F3C1D2A0877148D38C

Now within oultlook clients, they connect to SERVERSBS.mydomain.local, so how do I change what I am typing to get the new cert to match the name of the old cert or at least get rid of the error.

Thanks

TJ
0
Comment
Question by:tjwib29
3 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37833494
please see below link to renew self sign certificate
http://forums.msexchange.org/m_1800490079/mpage_1/key_/tm.htm#1800490079
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37833527
You should never have to do this. Did you use the wizard to renew your Add a Trusted Certificate. Then setup an SRV record in your DNS and that is all you should need.

http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/
0
 
LVL 9

Accepted Solution

by:
Aeriden earned 1500 total points
ID: 37833534
Here is what I do...

Issue a
  Get-ExchangeCertificate -domain "SERVERSBS.mydomain.local" | fl  
Note the thumbprint for the self-signed certificate

Then I issue
  Get-ExchangeCertificate -thumbprint "<your self-signed thumbprint>" | New-ExchangeCertificate  
Type Y to overwrite the existing certificate.  A new thumbprint will be generated for the replacement certificate.

Issue
  Get-ExchangeCertificate -thumbprint "<new thumbprint>" | fl

The new certificate generated is sometimes only enabled for POP, IMAP, and SMTP.  To enable IIS support, issue the following:
  Enable-ExchangeCertificate -thumbprint "<new thumbprint>" -services IIS

You can use Remove-ExchangeCertificate to remove unwanted certificates (such as the one you just created).

I hope this gives you ideas for your environment.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Take a look at these 6 Outlook Email management tools which can augment the working and performance of Microsoft Outlook to give you a more rewarding emailing experience.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question