Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Renew certificate for Exchange Server 2007

Posted on 2013-01-06
7
1,031 Views
Last Modified: 2013-01-08
Hi All,

I will renew the certificate for our Exchange Server 2007. I want to know that do our mobile  and IMAP/POP users need to accept a request for new certificate after I renew the new certificate on Exchange Server 2007?

Thanks.
Thomas
0
Comment
Question by:DT1640759
7 Comments
 
LVL 9

Accepted Solution

by:
tsaico earned 167 total points
ID: 38749730
No generally, they will automatically pick it up as long as the name doesn't change. (remote.mailserver.com)  Though be sure you go through the whole process and IIS reset so that the new certificate is being posted everywhere.  I have seen small number that forget to assign everything, and you get things like the internal clients still see the expired ssl, or the active sync works but the OWA doesn't present the right SSL.
0
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 38749733
Not sure if I am tracking with you on this..  When your users connect, the systems should check for an expired cert..  The only time when the users need to download/install a cert is really a manual process and not every day.  Please correct me if I am wrong.

HTH,

Kent
0
 
LVL 8

Assisted Solution

by:piyushranusri
piyushranusri earned 167 total points
ID: 38749953
it will prompt user on phones to check the new certificate.
they will get two option..install and cancel

you have to share the certificate with user to install on their phones
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 166 total points
ID: 38752879
If you renew with a commercial signed certificate with the same name, then there will be prompt, as the certificate is trusted.
If you rewew with a self signed certificate using Exchange commands, then clients may get prompts or may even fail completely. The Exchange self signed certificate is not supported for use with ActiveSync and Outlook Anywhere.

Simon.
0
 

Author Comment

by:DT1640759
ID: 38753679
Dear All,

Thanks for your comment. I have renewed the certificate of Exchange Server 2007 today. All Outlook, Mac OS X (Outlook for Mac and Mac Mail), OWA, Windows Phone, Andriod and iPhone / iPad could received emails after renewed the certificate. However, only some iPhones and iPads prompted out on screen and requested to trust a new certificate. I listed out all steps below for your reference:

Example:
Domain : smallbizco.net
Certificate : self signed certificate using Exchange commands
CAS Role server : hkexhub
Existing Service : POP, IMAP, IIS and SMTP

Steps
1. On Exchange 2007 CAS server, open 'Exchange Management Shell' and run the 'Get-ExchangeCertificate' command to list all certificate (picture renew01.jpg).

2. Run the 'New-ExchangeCertificate' command below (picture renew02.jpg).

New-ExchangeCertificate -domainname exchange.smallbizco.net, autodiscover.smallbizco.net, smallbizco.net, hkexhub, hkexhub.smallbizco.net -Friendlyname HKexhub -generaterequest:$true -keysize 2048 -path c:\certrequest_hkexhub.txt -privatekeyexportable:$true -subjectname "c=HK, s=, l=Hong Kong, o=Smallbizco.net, ou=IT, cn=hkexhub"

3. Once I have generated a CSR file. I use it to generate the new certificate from our company CA (Microsoft CA server).

4. Run the Import-ExchangeCertificate command below (picture renew03.jpg). Make sure to specify the path to the certificate file and remove any services that you will not be using.

Import-ExchangeCertificate -path c:\certnew.p7b | Enable-ExchangeCertificate -Services IMAP, POP, IIS, SMTP

5. After renewed the certificate, I checked all mail clients in our company. All mail clients were okay except iPhone / iPad (Microsoft Exchange ActiveSync). Checking results were listed below:

- Microsoft Outlook : OK
- OWA (picture renew04.jpg) : OK
- POP3 / IMAP4 clients : OK
- Mac Mail client on Mac OS X Lion / Mountain Lion : OK
- MS Outlook for Mac 2011: OK
- Windows Phone 7 / 8 : OK
- Andriod Mobile 2.X / 4.X : OK
- iPhone 4 / 4S / 5, iPad 2 / iPad Mini : All devices except iPhone 4. Prompt out certificate problem on screen (picture renew05.jpg). I needed to check continue to confirm.

I also submitted a Microsoft incident support call : [REG:1120521171XXXXXX]
Microsoft's engineer reply as below:

If we just renew the old certificate, it should be transparent for the end user (as root cert isn’t change, and most client side cert issue is because the root cert cannot be trusted).

Hope the above information can help the other people.

Thomas
renew01.jpg
renew02.jpg
renew03.jpg
renew04.jpg
renew05.jpg
0
 
LVL 8

Expert Comment

by:piyushranusri
ID: 38753701
awesome friend...
you prepare one document on that issue...i will suggest you to please upload it to your Article and knowledge base.
0
 

Author Comment

by:DT1640759
ID: 38754510
Hi Piyushranusri,

I have upload this issue to my Article. Hope it can help the other Exchange professional.

Thanks
Thomas
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question