Solved

Renew certificate for Exchange Server 2007

Posted on 2013-01-06
7
1,028 Views
Last Modified: 2013-01-08
Hi All,

I will renew the certificate for our Exchange Server 2007. I want to know that do our mobile  and IMAP/POP users need to accept a request for new certificate after I renew the new certificate on Exchange Server 2007?

Thanks.
Thomas
0
Comment
Question by:DT1640759
7 Comments
 
LVL 9

Accepted Solution

by:
tsaico earned 167 total points
ID: 38749730
No generally, they will automatically pick it up as long as the name doesn't change. (remote.mailserver.com)  Though be sure you go through the whole process and IIS reset so that the new certificate is being posted everywhere.  I have seen small number that forget to assign everything, and you get things like the internal clients still see the expired ssl, or the active sync works but the OWA doesn't present the right SSL.
0
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 38749733
Not sure if I am tracking with you on this..  When your users connect, the systems should check for an expired cert..  The only time when the users need to download/install a cert is really a manual process and not every day.  Please correct me if I am wrong.

HTH,

Kent
0
 
LVL 8

Assisted Solution

by:piyushranusri
piyushranusri earned 167 total points
ID: 38749953
it will prompt user on phones to check the new certificate.
they will get two option..install and cancel

you have to share the certificate with user to install on their phones
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 166 total points
ID: 38752879
If you renew with a commercial signed certificate with the same name, then there will be prompt, as the certificate is trusted.
If you rewew with a self signed certificate using Exchange commands, then clients may get prompts or may even fail completely. The Exchange self signed certificate is not supported for use with ActiveSync and Outlook Anywhere.

Simon.
0
 

Author Comment

by:DT1640759
ID: 38753679
Dear All,

Thanks for your comment. I have renewed the certificate of Exchange Server 2007 today. All Outlook, Mac OS X (Outlook for Mac and Mac Mail), OWA, Windows Phone, Andriod and iPhone / iPad could received emails after renewed the certificate. However, only some iPhones and iPads prompted out on screen and requested to trust a new certificate. I listed out all steps below for your reference:

Example:
Domain : smallbizco.net
Certificate : self signed certificate using Exchange commands
CAS Role server : hkexhub
Existing Service : POP, IMAP, IIS and SMTP

Steps
1. On Exchange 2007 CAS server, open 'Exchange Management Shell' and run the 'Get-ExchangeCertificate' command to list all certificate (picture renew01.jpg).

2. Run the 'New-ExchangeCertificate' command below (picture renew02.jpg).

New-ExchangeCertificate -domainname exchange.smallbizco.net, autodiscover.smallbizco.net, smallbizco.net, hkexhub, hkexhub.smallbizco.net -Friendlyname HKexhub -generaterequest:$true -keysize 2048 -path c:\certrequest_hkexhub.txt -privatekeyexportable:$true -subjectname "c=HK, s=, l=Hong Kong, o=Smallbizco.net, ou=IT, cn=hkexhub"

3. Once I have generated a CSR file. I use it to generate the new certificate from our company CA (Microsoft CA server).

4. Run the Import-ExchangeCertificate command below (picture renew03.jpg). Make sure to specify the path to the certificate file and remove any services that you will not be using.

Import-ExchangeCertificate -path c:\certnew.p7b | Enable-ExchangeCertificate -Services IMAP, POP, IIS, SMTP

5. After renewed the certificate, I checked all mail clients in our company. All mail clients were okay except iPhone / iPad (Microsoft Exchange ActiveSync). Checking results were listed below:

- Microsoft Outlook : OK
- OWA (picture renew04.jpg) : OK
- POP3 / IMAP4 clients : OK
- Mac Mail client on Mac OS X Lion / Mountain Lion : OK
- MS Outlook for Mac 2011: OK
- Windows Phone 7 / 8 : OK
- Andriod Mobile 2.X / 4.X : OK
- iPhone 4 / 4S / 5, iPad 2 / iPad Mini : All devices except iPhone 4. Prompt out certificate problem on screen (picture renew05.jpg). I needed to check continue to confirm.

I also submitted a Microsoft incident support call : [REG:1120521171XXXXXX]
Microsoft's engineer reply as below:

If we just renew the old certificate, it should be transparent for the end user (as root cert isn’t change, and most client side cert issue is because the root cert cannot be trusted).

Hope the above information can help the other people.

Thomas
renew01.jpg
renew02.jpg
renew03.jpg
renew04.jpg
renew05.jpg
0
 
LVL 8

Expert Comment

by:piyushranusri
ID: 38753701
awesome friend...
you prepare one document on that issue...i will suggest you to please upload it to your Article and knowledge base.
0
 

Author Comment

by:DT1640759
ID: 38754510
Hi Piyushranusri,

I have upload this issue to my Article. Hope it can help the other Exchange professional.

Thanks
Thomas
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question