SBS 2011 leaf certificate expiring

Dear experts,

I have SBS 2011 with error "leaf certificate expiring". When I see cert properties, our certificate will expire in few days.

I tried to run "fix my network" wizard, he said he repaired it, but when I restart server there is same old expiring cert.

There is many mobile devices users as well..

Any sugestions?

Jaroslav LatalMSPAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WORKS2011Austin Tech CompanyCommented:
do you mean self signed cert?
Jaroslav LatalMSPAuthor Commented:
sorry, forgot to mention.. yes, self signed cert.

WORKS2011Austin Tech CompanyCommented:
Run the following commands from PowerShell (in bold) basically you're locating the cert currently used by it's thumbprint and replacing with the new cert.

Get-ExchangeCertificate -domain "domainname" | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
CertificateDomains : {computername, computername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=computername
NotAfter           : 2/16/2011 11:34:03 PM
NotBefore          : 2/16/2010 11:34:03 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 444FEF2E6F75B8864B86866DE2792FC2
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=computername
Thumbprint         : 2FB28F5075EFE9B30A8F8458DED0A19628D71F52

[PS] C:\Windows\System32>Get-ExchangeCertificate -thumbprint "2FB28F7055EFE9B30A
8F8458DED0A19628D71F52" | New-ExchangeCertificate

Overwrite existing default SMTP certificate,
'2FB28F5075EFE9B30A8F8458DED0A19628D71F52' (expires 2/16/2011 11:34:03 PM),
with certificate 'FB5AECA6B39816F02B3245BD1D95394A573E1F02' (expires 2/22/2012
8:29:16 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Thumbprint                                Services   Subject
----------                                --------   -------
FB5AECA6B39816F02B3245BD1D95394A573E1F02  .....      CN=computername

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Jaroslav LatalMSPAuthor Commented:
Hello, I simply changed cert binded in IIS.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WORKS2011Austin Tech CompanyCommented:
I have SBS 2011 with error "leaf certificate expiring". When I see cert properties, our certificate will expire in few days.

when it expires for good run my commands to fix it and hopefully your next problem people will take time to help you.
Jaroslav LatalMSPAuthor Commented:
Solution in my post. I did not tried WORKS2011's solution.
When I am running the command Get-ExchangeCertificate -domain "domainname" | fl, I have several entries expiring on the same day. How do I know which one to select? Or do I need to repeat for each thumbprint? Thanks
tauro2Company DirectorCommented:
How did he change the binding in IIS?
I ran the fix my network wizard and selected new self signed cert and when I open OWA and RWW and view the cert it is the new cert that expires in November 2017.
I still get the warnings about the Leaf Certificate expiring.
The cert is present in the certification authority store.
So I am not sure if I don't need to do anymore or if there is some other action that needs to be done?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.