Solved

How to renewl exchange 2007 SSL cert?

Posted on 2014-10-22
6
153 Views
Last Modified: 2014-10-28
This is using a MS Exchange 2007 server. The SSL issued by GeoTrust was found expired. I have generated the request file (CSR) by using new-exchangecertificate. Now I get the certificate (cer) from GeoTrust. After that, I ran the following command:

   import-exchangeCertificate -path c:\geotrust.cer | enable-exchangecertificate -services smtp

Now, when I ran the "get-exchangecertificate", I get the results as follows:


Thumbprint                                Services   Subject                  
----------                                --------   -------                  
202EF4798C28281D988F30D8E2E92AAE42CDC5E8  ...W.      CN=*.abc.com.sg...
3B59D8CBDCB03AF7118B77EFF3B639DAFFEC7A27  ....S      CN=VMISINXCH001          
6E6412458D74DB8FEBE80AA593143CA6CC90DD6B  IP...      CN=exchange.com.sg...
722A41089031A922F2CC234055997BF7165493A3  .....      CN=abc Asia, DC=so...

Thumbprint of "202EF..." is the new exchange cert, while "6E64..." is the existing but expired exchange cert. Even I ran
"Enable-exchangeCertificate -thumbprint 202E... -services imap,pop,iis, I can't bind (or move) the services to the now exchange cert, why? Do I have to remove the 606E exchange cert as the "IP" services would still bind with it?

Appreciate for your help.

Thanks,
0
Comment
Question by:MichaelBalack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 29

Assisted Solution

by:becraig
becraig earned 200 total points
ID: 40397726
Run
emove-ExchangeCertificate -Thumbprint 6E6412458D74DB8FEBE80AA593143CA6CC90DD6B

Then try binding the new cert again just to be safe.  

You should also run iisreset /noforce to ensure the new cert is picked up.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 40397740
Hi Becraig,

Thank fir the fast reply. I will do it next morning.

Thanks,
0
 
LVL 9

Expert Comment

by:RantCan
ID: 40397746
Do you have the intermediate certs installed on the server?

You should not have to remove the certificate; you should simply be able to bind the services you need to the cert.

Syntax according to technet could be:

Enable-exchangecertificate –services IIS, UM, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 29

Expert Comment

by:becraig
ID: 40397751
While Rant is somewhat correct, I have indicated the need to reset IIS to pick up the new cert.

I provided the remove-cert command as there is no value in keeping expired certificates around to confuse the issue.
0
 
LVL 26

Accepted Solution

by:
-MAS earned 300 total points
ID: 40398636
Agree with becraig.
1. Just create new CSR.
Please use this for easy CSR creation.
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
2. Install the certificate and enable the services on the certificate
by the above command. You will get the thumbprint by the command "Get-Exchangecertificate"
3. Remove the expired certificate. you will see the expired certificate using command.
Get-Exchangecertificate | fl NotAfter, Notbefore, thumprint

Open in new window

Remove certificate using command
remove-ExchangeCertificate -Thumbprint "2342342342334234"

Open in new window

0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 40407829
Thank both experts. Certificate renewal completed successfully.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question