Solved

Renew certificate for Exchange Server 2007

Posted on 2013-01-06
7
1,038 Views
Last Modified: 2013-01-08
Hi All,

I will renew the certificate for our Exchange Server 2007. I want to know that do our mobile  and IMAP/POP users need to accept a request for new certificate after I renew the new certificate on Exchange Server 2007?

Thanks.
Thomas
0
Comment
Question by:DT1640759
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 9

Accepted Solution

by:
tsaico earned 167 total points
ID: 38749730
No generally, they will automatically pick it up as long as the name doesn't change. (remote.mailserver.com)  Though be sure you go through the whole process and IIS reset so that the new certificate is being posted everywhere.  I have seen small number that forget to assign everything, and you get things like the internal clients still see the expired ssl, or the active sync works but the OWA doesn't present the right SSL.
0
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 38749733
Not sure if I am tracking with you on this..  When your users connect, the systems should check for an expired cert..  The only time when the users need to download/install a cert is really a manual process and not every day.  Please correct me if I am wrong.

HTH,

Kent
0
 
LVL 8

Assisted Solution

by:piyushranusri
piyushranusri earned 167 total points
ID: 38749953
it will prompt user on phones to check the new certificate.
they will get two option..install and cancel

you have to share the certificate with user to install on their phones
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 166 total points
ID: 38752879
If you renew with a commercial signed certificate with the same name, then there will be prompt, as the certificate is trusted.
If you rewew with a self signed certificate using Exchange commands, then clients may get prompts or may even fail completely. The Exchange self signed certificate is not supported for use with ActiveSync and Outlook Anywhere.

Simon.
0
 

Author Comment

by:DT1640759
ID: 38753679
Dear All,

Thanks for your comment. I have renewed the certificate of Exchange Server 2007 today. All Outlook, Mac OS X (Outlook for Mac and Mac Mail), OWA, Windows Phone, Andriod and iPhone / iPad could received emails after renewed the certificate. However, only some iPhones and iPads prompted out on screen and requested to trust a new certificate. I listed out all steps below for your reference:

Example:
Domain : smallbizco.net
Certificate : self signed certificate using Exchange commands
CAS Role server : hkexhub
Existing Service : POP, IMAP, IIS and SMTP

Steps
1. On Exchange 2007 CAS server, open 'Exchange Management Shell' and run the 'Get-ExchangeCertificate' command to list all certificate (picture renew01.jpg).

2. Run the 'New-ExchangeCertificate' command below (picture renew02.jpg).

New-ExchangeCertificate -domainname exchange.smallbizco.net, autodiscover.smallbizco.net, smallbizco.net, hkexhub, hkexhub.smallbizco.net -Friendlyname HKexhub -generaterequest:$true -keysize 2048 -path c:\certrequest_hkexhub.txt -privatekeyexportable:$true -subjectname "c=HK, s=, l=Hong Kong, o=Smallbizco.net, ou=IT, cn=hkexhub"

3. Once I have generated a CSR file. I use it to generate the new certificate from our company CA (Microsoft CA server).

4. Run the Import-ExchangeCertificate command below (picture renew03.jpg). Make sure to specify the path to the certificate file and remove any services that you will not be using.

Import-ExchangeCertificate -path c:\certnew.p7b | Enable-ExchangeCertificate -Services IMAP, POP, IIS, SMTP

5. After renewed the certificate, I checked all mail clients in our company. All mail clients were okay except iPhone / iPad (Microsoft Exchange ActiveSync). Checking results were listed below:

- Microsoft Outlook : OK
- OWA (picture renew04.jpg) : OK
- POP3 / IMAP4 clients : OK
- Mac Mail client on Mac OS X Lion / Mountain Lion : OK
- MS Outlook for Mac 2011: OK
- Windows Phone 7 / 8 : OK
- Andriod Mobile 2.X / 4.X : OK
- iPhone 4 / 4S / 5, iPad 2 / iPad Mini : All devices except iPhone 4. Prompt out certificate problem on screen (picture renew05.jpg). I needed to check continue to confirm.

I also submitted a Microsoft incident support call : [REG:1120521171XXXXXX]
Microsoft's engineer reply as below:

If we just renew the old certificate, it should be transparent for the end user (as root cert isn’t change, and most client side cert issue is because the root cert cannot be trusted).

Hope the above information can help the other people.

Thomas
renew01.jpg
renew02.jpg
renew03.jpg
renew04.jpg
renew05.jpg
0
 
LVL 8

Expert Comment

by:piyushranusri
ID: 38753701
awesome friend...
you prepare one document on that issue...i will suggest you to please upload it to your Article and knowledge base.
0
 

Author Comment

by:DT1640759
ID: 38754510
Hi Piyushranusri,

I have upload this issue to my Article. Hope it can help the other Exchange professional.

Thanks
Thomas
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question