Solved

How to renewl exchange 2007 SSL cert?

Posted on 2014-10-22
6
141 Views
Last Modified: 2014-10-28
This is using a MS Exchange 2007 server. The SSL issued by GeoTrust was found expired. I have generated the request file (CSR) by using new-exchangecertificate. Now I get the certificate (cer) from GeoTrust. After that, I ran the following command:

   import-exchangeCertificate -path c:\geotrust.cer | enable-exchangecertificate -services smtp

Now, when I ran the "get-exchangecertificate", I get the results as follows:


Thumbprint                                Services   Subject                  
----------                                --------   -------                  
202EF4798C28281D988F30D8E2E92AAE42CDC5E8  ...W.      CN=*.abc.com.sg...
3B59D8CBDCB03AF7118B77EFF3B639DAFFEC7A27  ....S      CN=VMISINXCH001          
6E6412458D74DB8FEBE80AA593143CA6CC90DD6B  IP...      CN=exchange.com.sg...
722A41089031A922F2CC234055997BF7165493A3  .....      CN=abc Asia, DC=so...

Thumbprint of "202EF..." is the new exchange cert, while "6E64..." is the existing but expired exchange cert. Even I ran
"Enable-exchangeCertificate -thumbprint 202E... -services imap,pop,iis, I can't bind (or move) the services to the now exchange cert, why? Do I have to remove the 606E exchange cert as the "IP" services would still bind with it?

Appreciate for your help.

Thanks,
0
Comment
Question by:MichaelBalack
6 Comments
 
LVL 28

Assisted Solution

by:becraig
becraig earned 200 total points
ID: 40397726
Run
emove-ExchangeCertificate -Thumbprint 6E6412458D74DB8FEBE80AA593143CA6CC90DD6B

Then try binding the new cert again just to be safe.  

You should also run iisreset /noforce to ensure the new cert is picked up.
0
 
LVL 1

Author Comment

by:MichaelBalack
ID: 40397740
Hi Becraig,

Thank fir the fast reply. I will do it next morning.

Thanks,
0
 
LVL 9

Expert Comment

by:RantCan
ID: 40397746
Do you have the intermediate certs installed on the server?

You should not have to remove the certificate; you should simply be able to bind the services you need to the cert.

Syntax according to technet could be:

Enable-exchangecertificate –services IIS, UM, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 28

Expert Comment

by:becraig
ID: 40397751
While Rant is somewhat correct, I have indicated the need to reset IIS to pick up the new cert.

I provided the remove-cert command as there is no value in keeping expired certificates around to confuse the issue.
0
 
LVL 24

Accepted Solution

by:
-MAS earned 300 total points
ID: 40398636
Agree with becraig.
1. Just create new CSR.
Please use this for easy CSR creation.
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
2. Install the certificate and enable the services on the certificate
by the above command. You will get the thumbprint by the command "Get-Exchangecertificate"
3. Remove the expired certificate. you will see the expired certificate using command.
Get-Exchangecertificate | fl NotAfter, Notbefore, thumprint

Open in new window

Remove certificate using command
remove-ExchangeCertificate -Thumbprint "2342342342334234"

Open in new window

0
 
LVL 1

Author Closing Comment

by:MichaelBalack
ID: 40407829
Thank both experts. Certificate renewal completed successfully.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now