• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 823
  • Last Modified:

2007 Exchange Certificate expired, How do I update the Outlook Clients

I have created and enabled the new certificate for my Exchange 2007 server.  What are my options for Outlook?  Do I have to manually go to each computer with outlook and install the new certificate?  

Thanks,

Jamie
0
jamiebehl
Asked:
jamiebehl
  • 9
  • 9
  • 2
1 Solution
 
colonytireDirector of TechnologyCommented:
0
 
BianaryBarbarianCommented:
You should be able to do this from the server level, here is a good starting place.

http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx

But I believe this may help in your particular issue.

http://support.microsoft.com/kb/555842
0
 
jamiebehlAuthor Commented:
Here is what I have done so far.

1.  Get-exchangecertificate | List  "I saw my certificate was expired"  This is self signed cert.
2.  New-ExchangeCertificate and selected y for yes
3.  Enable-ExchangeCertificate -Thumbprint (New Thumbprint) -Service IIS
4.  Remove_exchangeCertificate -Thumbprint (Old Thumbprint)

Is there something extra I Need to do for the Self Signed Certs?  It is saying the Security cert was issued by a company you have not chosen to trust.  View the cert to determine whether you want to trust the certifying authority.  I can manually add it but I have many outlook clients and it doesn't seem like the best solution.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
BianaryBarbarianCommented:
If the certificate is coming from your own internal CA, then it should be trusted, so I presume this is the default self signed Exchange Cert?

Are the machines with Outlook 2010 on new? I would imagine you have selected to trust the certificate for the other machines.

 http://hellomate.typepad.com/exchange/2004/07/this_security_c.html
0
 
colonytireDirector of TechnologyCommented:
What do you get when you run the Get-ExchangeCertificate command? Sounds like it may be enabled for IIS only.
0
 
colonytireDirector of TechnologyCommented:
Specifically run "Get-ExchangeCertificate | fl" to list all details.
0
 
jamiebehlAuthor Commented:
The Cert shows it for Imap, pop, um, iis, and smtp.  All the problem machines do have Outlook 2010.  When I set them up though I had to trust the old certificate.  I just configured one last week and had to go through the import process.  Will I have to do update each client machine every time I update the cert on the server?
0
 
colonytireDirector of TechnologyCommented:
OK, you probably need to go here: http://support.microsoft.com/kb/940726
0
 
jamiebehlAuthor Commented:
When I do a get-exchangecertificate | fl I have noticed that I have multiple entries.  Should I just have one?  They have different dates.  I am trying to determine how to tell them apart.  Some show False for IsSelfSigned and others say true.  The all have the same subject cn="my server name"  Some have a 1024 and some have a 2048 public key size.  All but the top one has an invalid or unknown status.  I have failed on the 2nd step of the above URL.  I will have to work on the EWS portion.

The services are different on them all.  The first one shows IMAP, POP, UM, IIS, SMTP
2 - imap, pop, um, smtp
3 imap, pop, um
4 imap, pop, um
5 imap, pop, um
0
 
colonytireDirector of TechnologyCommented:
Pretty sure there should only be 1 listed and active.  Worse case, delete them all and recreate a new cert using this link: http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
0
 
jamiebehlAuthor Commented:
Ok I have deleted all the certificates.  I now only have one.  All I did was create it and enable it with IIS.  When opening up outlook I get two errors.  The security cert was issued by a company you have not chosen to trust.  Vew the cert to determine whether you want to trust the cert auth.  The date is valid and then the name on the security cert is invalid or does not match the name of the site.  can someone explain how this works and then what I need to do?  I have attempted a few of the sites that have been posted but they are very lengthy and most don't pertain to my situation.
0
 
colonytireDirector of TechnologyCommented:
For the 1 certificate you have now, what do you get with the get-exchangecertificate | fl command?
0
 
jamiebehlAuthor Commented:
I modified the server names and starred out the thumbprint and serialnumber

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {mail.ourserver.com, internalservername}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.ourserver.com
NotAfter           : 9/4/2017 9:28:06 PM
NotBefore          : 9/4/2012 9:28:06 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 4*********************
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.ourserver.com
Thumbprint         : 9***********************
0
 
colonytireDirector of TechnologyCommented:
That all looks good.  If that's the active cert you should be ok unless this part needs to be addressed now: http://support.microsoft.com/kb/940726 

I am thinking that the multiple certs may have mixed up teh autodiscover.xml file and process.
0
 
jamiebehlAuthor Commented:
I can run the autodiscover command fine.  The next command gives me errors.  I am also getting 3 security alerts.  The mail.ourdomain.com says the security cert was issued by a company you have not chosen to trust.  The other two are from ourserver.local and it has the same error along with the name on the secuiryt cert is invalid or does not match the name of the site.  

This one gives me an error listed below.
Change the InternalUrl attribute of the EWS. To do this, type the following command, and then press Enter:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Here is my error:

[PS] C:\Windows\system32>set-webservicesvirtualdirectory -identity "ourinternalserver.local\ews" -internalurl https://mail.domain.com/ews/exchange.asmx
Set-WebServicesVirtualDirectory : The operation could not be performed because
object 'ourinternalserver.local\ews' could not be found on domain controller 'ourinternalserver.local'.
At line:1 char:32
+ set-webservicesvirtualdirectory <<<<  -identity "ourinternalserver.local\ews"
-internalurl https://mail.domain.com/ews/exchange.asmx
    + CategoryInfo          : NotSpecified: (0:Int32) [Set-WebServicesVirtualD
   irectory], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : FF121805,Microsoft.Exchange.Management.SystemCon
   figurationTasks.SetWebServicesVirtualDirectory
0
 
jamiebehlAuthor Commented:
I went through all steps of the http://support.microsoft.com/kb/940726.  I am still receiving the same errors when opening my outlook 2010.  Is there a way to test any of this?  This is the first year we have had Office 2007 or 2010.  So I'm not sure if there is a step that has never been completed on this exchange 2007 server.  

Here are the security alerts when opening outlook 2010.

mail.ourdomain.com
X The security certificate was issued by a company you have not chosen to trust.  View the certificate to determine whether you want to trust the certifying authority.
OK The security date is valid
Ok The security certificate has a valid name.

servername.domain.local
X The security certificate was issued by a company you have not chosen to trust.  View the certificate to determine whether you want to trust the certifying authority.
OK The security date is valid
X The name on the security certificate is invalid or does not match the name of the site.
0
 
colonytireDirector of TechnologyCommented:
You have multiple FQDN's in place it looks like.  Have a look at this article.  It's the simplest explanation of what I think may be happening on your server: http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
0
 
jamiebehlAuthor Commented:
Would the errors all go away if I purchased a cert?  I went through those instructions and it appears mine is setup correctly.
0
 
colonytireDirector of TechnologyCommented:
Doubt purchasing would help since it seems the 2 different names is causing the conflict.  You may have to drop 250.00 to Micro$oft to get it done safely.  I suspect that in your initial setup the actual computer name is different that it is named in your Active Directory for other processes thus the conflict.  Wish I knew a safe direction to point you in. If you get it fixed please post the resolution.
0
 
jamiebehlAuthor Commented:
Still haven't resolved the issue.  I haven't spent anytime looking.  Everything still works we just get the annoying popup.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 9
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now