Solved

Renew certificate for Exchange Server 2007

Posted on 2013-01-06
7
1,025 Views
Last Modified: 2013-01-08
Hi All,

I will renew the certificate for our Exchange Server 2007. I want to know that do our mobile  and IMAP/POP users need to accept a request for new certificate after I renew the new certificate on Exchange Server 2007?

Thanks.
Thomas
0
Comment
Question by:DT1640759
7 Comments
 
LVL 9

Accepted Solution

by:
tsaico earned 167 total points
ID: 38749730
No generally, they will automatically pick it up as long as the name doesn't change. (remote.mailserver.com)  Though be sure you go through the whole process and IIS reset so that the new certificate is being posted everywhere.  I have seen small number that forget to assign everything, and you get things like the internal clients still see the expired ssl, or the active sync works but the OWA doesn't present the right SSL.
0
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 38749733
Not sure if I am tracking with you on this..  When your users connect, the systems should check for an expired cert..  The only time when the users need to download/install a cert is really a manual process and not every day.  Please correct me if I am wrong.

HTH,

Kent
0
 
LVL 8

Assisted Solution

by:piyushranusri
piyushranusri earned 167 total points
ID: 38749953
it will prompt user on phones to check the new certificate.
they will get two option..install and cancel

you have to share the certificate with user to install on their phones
0
Can’t get the mobile email signature right?

Not having any luck when trying to create an email signature for mobile devices? Does the formatting keep messing up? Make sure you have great email signatures on all devices by using Exclaimer Cloud - Signatures for Office 365.

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 166 total points
ID: 38752879
If you renew with a commercial signed certificate with the same name, then there will be prompt, as the certificate is trusted.
If you rewew with a self signed certificate using Exchange commands, then clients may get prompts or may even fail completely. The Exchange self signed certificate is not supported for use with ActiveSync and Outlook Anywhere.

Simon.
0
 

Author Comment

by:DT1640759
ID: 38753679
Dear All,

Thanks for your comment. I have renewed the certificate of Exchange Server 2007 today. All Outlook, Mac OS X (Outlook for Mac and Mac Mail), OWA, Windows Phone, Andriod and iPhone / iPad could received emails after renewed the certificate. However, only some iPhones and iPads prompted out on screen and requested to trust a new certificate. I listed out all steps below for your reference:

Example:
Domain : smallbizco.net
Certificate : self signed certificate using Exchange commands
CAS Role server : hkexhub
Existing Service : POP, IMAP, IIS and SMTP

Steps
1. On Exchange 2007 CAS server, open 'Exchange Management Shell' and run the 'Get-ExchangeCertificate' command to list all certificate (picture renew01.jpg).

2. Run the 'New-ExchangeCertificate' command below (picture renew02.jpg).

New-ExchangeCertificate -domainname exchange.smallbizco.net, autodiscover.smallbizco.net, smallbizco.net, hkexhub, hkexhub.smallbizco.net -Friendlyname HKexhub -generaterequest:$true -keysize 2048 -path c:\certrequest_hkexhub.txt -privatekeyexportable:$true -subjectname "c=HK, s=, l=Hong Kong, o=Smallbizco.net, ou=IT, cn=hkexhub"

3. Once I have generated a CSR file. I use it to generate the new certificate from our company CA (Microsoft CA server).

4. Run the Import-ExchangeCertificate command below (picture renew03.jpg). Make sure to specify the path to the certificate file and remove any services that you will not be using.

Import-ExchangeCertificate -path c:\certnew.p7b | Enable-ExchangeCertificate -Services IMAP, POP, IIS, SMTP

5. After renewed the certificate, I checked all mail clients in our company. All mail clients were okay except iPhone / iPad (Microsoft Exchange ActiveSync). Checking results were listed below:

- Microsoft Outlook : OK
- OWA (picture renew04.jpg) : OK
- POP3 / IMAP4 clients : OK
- Mac Mail client on Mac OS X Lion / Mountain Lion : OK
- MS Outlook for Mac 2011: OK
- Windows Phone 7 / 8 : OK
- Andriod Mobile 2.X / 4.X : OK
- iPhone 4 / 4S / 5, iPad 2 / iPad Mini : All devices except iPhone 4. Prompt out certificate problem on screen (picture renew05.jpg). I needed to check continue to confirm.

I also submitted a Microsoft incident support call : [REG:1120521171XXXXXX]
Microsoft's engineer reply as below:

If we just renew the old certificate, it should be transparent for the end user (as root cert isn’t change, and most client side cert issue is because the root cert cannot be trusted).

Hope the above information can help the other people.

Thomas
renew01.jpg
renew02.jpg
renew03.jpg
renew04.jpg
renew05.jpg
0
 
LVL 8

Expert Comment

by:piyushranusri
ID: 38753701
awesome friend...
you prepare one document on that issue...i will suggest you to please upload it to your Article and knowledge base.
0
 

Author Comment

by:DT1640759
ID: 38754510
Hi Piyushranusri,

I have upload this issue to my Article. Hope it can help the other Exchange professional.

Thanks
Thomas
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now