Solved

Self Signed Certificate Expired in Exchange 2007

Posted on 2012-04-11
3
705 Views
Last Modified: 2012-08-07
I have a server running SBS 2008 and my self signed certificate recently expired and I am trying to create a new one with the same names and parameters.  I am close but I still get the security warning when I go into Outlook .  The first 2 messages about a trusted source and valid cert have green check marks, but the third has the red X which says "The name on the security certificate is invalid or does not match the name of the site"  When it first expired, the first and 3rd had green checks and the middle was a red X.

The original certificate looks like this:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.cowleyco.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mydomain-SERVERSBS-CA
NotAfter           : 4/9/2012 11:03:05 PM
NotBefore          : 4/10/2010 11:03:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6107601F000000000002
Services           : IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 3A40859109A168475AC51DD529030A3577A0934F

Then from the mgmt shell I am typing the line below to create my new cert:

new-exchangecertificate -subjectname "CN=Sites" -domainname "SERVERSBS.mydomain.local" -includeaccepteddomains -includeautodiscover

And this yielded the following:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERSBS.mydomain.local, mydomain.local, mydomain
                     .com, autodiscover.mydomain.local, autodiscover.mydomain.c
                     om}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 4/11/2013 8:03:22 AM
NotBefore          : 4/11/2012 8:03:22 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 12FAA5485D315A8B4D72E830AB356801
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : A3FC1A8870F0BDDE267E74F3C1D2A0877148D38C

Now within oultlook clients, they connect to SERVERSBS.mydomain.local, so how do I change what I am typing to get the new cert to match the name of the old cert or at least get rid of the error.

Thanks

TJ
0
Comment
Question by:tjwib29
3 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37833494
please see below link to renew self sign certificate
http://forums.msexchange.org/m_1800490079/mpage_1/key_/tm.htm#1800490079
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37833527
You should never have to do this. Did you use the wizard to renew your Add a Trusted Certificate. Then setup an SRV record in your DNS and that is all you should need.

http://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/
0
 
LVL 9

Accepted Solution

by:
Aeriden earned 500 total points
ID: 37833534
Here is what I do...

Issue a
  Get-ExchangeCertificate -domain "SERVERSBS.mydomain.local" | fl  
Note the thumbprint for the self-signed certificate

Then I issue
  Get-ExchangeCertificate -thumbprint "<your self-signed thumbprint>" | New-ExchangeCertificate  
Type Y to overwrite the existing certificate.  A new thumbprint will be generated for the replacement certificate.

Issue
  Get-ExchangeCertificate -thumbprint "<new thumbprint>" | fl

The new certificate generated is sometimes only enabled for POP, IMAP, and SMTP.  To enable IIS support, issue the following:
  Enable-ExchangeCertificate -thumbprint "<new thumbprint>" -services IIS

You can use Remove-ExchangeCertificate to remove unwanted certificates (such as the one you just created).

I hope this gives you ideas for your environment.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Email Send REcieve Problem on TMG 2010 6 57
Lost emails in Outlook 18 33
Remote Powershell Issue 3 29
Exchange 2016 - not receiving mail 17 35
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question