Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 164
  • Last Modified:

How to renewl exchange 2007 SSL cert?

This is using a MS Exchange 2007 server. The SSL issued by GeoTrust was found expired. I have generated the request file (CSR) by using new-exchangecertificate. Now I get the certificate (cer) from GeoTrust. After that, I ran the following command:

   import-exchangeCertificate -path c:\geotrust.cer | enable-exchangecertificate -services smtp

Now, when I ran the "get-exchangecertificate", I get the results as follows:


Thumbprint                                Services   Subject                  
----------                                --------   -------                  
202EF4798C28281D988F30D8E2E92AAE42CDC5E8  ...W.      CN=*.abc.com.sg...
3B59D8CBDCB03AF7118B77EFF3B639DAFFEC7A27  ....S      CN=VMISINXCH001          
6E6412458D74DB8FEBE80AA593143CA6CC90DD6B  IP...      CN=exchange.com.sg...
722A41089031A922F2CC234055997BF7165493A3  .....      CN=abc Asia, DC=so...

Thumbprint of "202EF..." is the new exchange cert, while "6E64..." is the existing but expired exchange cert. Even I ran
"Enable-exchangeCertificate -thumbprint 202E... -services imap,pop,iis, I can't bind (or move) the services to the now exchange cert, why? Do I have to remove the 606E exchange cert as the "IP" services would still bind with it?

Appreciate for your help.

Thanks,
0
MichaelBalack
Asked:
MichaelBalack
2 Solutions
 
becraigCommented:
Run
emove-ExchangeCertificate -Thumbprint 6E6412458D74DB8FEBE80AA593143CA6CC90DD6B

Then try binding the new cert again just to be safe.  

You should also run iisreset /noforce to ensure the new cert is picked up.
0
 
MichaelBalackAuthor Commented:
Hi Becraig,

Thank fir the fast reply. I will do it next morning.

Thanks,
0
 
RantCanSr. Systems AdministratorCommented:
Do you have the intermediate certs installed on the server?

You should not have to remove the certificate; you should simply be able to bind the services you need to the cert.

Syntax according to technet could be:

Enable-exchangecertificate –services IIS, UM, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
becraigCommented:
While Rant is somewhat correct, I have indicated the need to reset IIS to pick up the new cert.

I provided the remove-cert command as there is no value in keeping expired certificates around to confuse the issue.
0
 
MASTechnical Department HeadCommented:
Agree with becraig.
1. Just create new CSR.
Please use this for easy CSR creation.
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
2. Install the certificate and enable the services on the certificate
by the above command. You will get the thumbprint by the command "Get-Exchangecertificate"
3. Remove the expired certificate. you will see the expired certificate using command.
Get-Exchangecertificate | fl NotAfter, Notbefore, thumprint

Open in new window

Remove certificate using command
remove-ExchangeCertificate -Thumbprint "2342342342334234"

Open in new window

0
 
MichaelBalackAuthor Commented:
Thank both experts. Certificate renewal completed successfully.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now