SSL Certificates under SBS 2011 / Exchange 2010

I've picked up maintenance of a SBS2011 server which has Exchange 2010.   I have a few certificates that are about to expire (all the remote.<FQDN>.com ones.

Screen shot of certs in management console.
I tired to do a Get-exchangecertificate -thumbprint < > | new-exchangecertificate to replace it in powershell and that seemed to go fine.  But the new certificate showed the subject of the cert as remote.<FQDN>.com  and also issued by remote.<FQDN>.com  as well.   It also showed as self-signed, where the existing one does not and as being issued by <domain>-LS-SBS-CA (which is a self-signed certificate).

  The new cert when opened also showed as not trusted (I'm assuming because the issued by was incorrect).

What am I doing wrong when I generate this new certificate?

LVL 60
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nathan HawkinsTechnical Lead - Network SecurityCommented:
You arent doing anything wrong. Whats trusted isnt the cert, its the CA that issues the cert. You can find the issuing CA in the details of the cert. Theres a few ways that you can "trust" a CA. The easiest is doing it manually for just your own browser with you computers certificate store, but that will only fix you. The more complicated way is to issue a group AD policy which adds the issuing CA as trusted. You can google both ways on how to do it. Its pretty well documented.

If you want a certificate issued by a certified authority which will not give you any warning to clients/users, you should buy one from GoDaddy, DigiCert, etc. Even if you issue a certify from your own CA which is not selfsigned, the users still will receive a warning, because your CA certifies is self signed and the warning will be that the CA cannot be verified :)
MikeIT ManagerCommented:
Comodo is also another good certified SSL vendor.  I've used them and GoDaddy in the past and have no complaints about either.

IMO using Self signed certs in a production Exchange environment is not the best option.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerAuthor Commented:
So if I didn't do anything wrong, then why do I end up with a self-signed certificate with the issue by and subject as the same?

Again, I'm looking to simply renew the existing certificates.  

I've send you a link with all steps to renew the certificate. That link helped me 2 month ago when I had to renew the certificate

Question: when will expire the CA certificate? It is valid at least one more year? if it is not, you should renew the CA certificate too, because you cannot provide a certificate for Exchange which have the validity longer than the validity of CA certificate
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerAuthor Commented:
I'll look through the link you posted.

The CA cert is set to expire in 2018.

The link helped me two month ago as I just said! It is very explicit and all the necessary steps are there. You cannot just right click and then press "renew certificate". The link is the right procedure ...

Best regards!
Nathan HawkinsTechnical Lead - Network SecurityCommented:
The best and easiest way is to install certificate services on a windows standalone server. Thne create the CSR using what ever way you want and submit that CSR to the Microsoft CA. So, what you did wrong was in the creation of your CSR. Create the CSR where the common name is the URL you want for the SSL cert, pretty much all of the other information is just that...informational. When creating the CSR set it to the byte length you want; pretty much whats standard these days is 1024 bytes, but 2048 isnt all that uncommon. When you go to purchase an SSL cert, thats where the byte length matters because the bigger one costs more... Dont ask me why... It doesnt "cost" the issuing CA anything more to issue the cert, but facts are facts and it costs more.

The place Ive gone to purchase certs is RapidSSL. Im not sure anyone else is more cost effective and still a trusted CA.
Jaroslav LatalMSPCommented:
Hi Jim,
Since it is SBS, you should use "Fix my network wizard" from SBS console.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerAuthor Commented:
While I certainly appreciate the advice that has been given, one again I will say that all I want to do for present is renew these certificates that are about to expire.

I realize that there are best practices that should be followed, like buying a 3rd party cert, but with just picking up this server, my intent is to do as little as possible at the moment in this area because I have so many other things going on.

Who ever originally setup this server did so with self-signed certs, and for the moment, that's what I'm looking to stick with.

 All I need to do is renew the existing certs.   Later on once the thing is cleaned up, I will address things that should have been done properly but were not.

 I did some research on my own this weekend and as Jarda said, it looks like the "Fix my network wizard" is the way to go.   I think however that's just a slick way of carrying out the manual steps in matrix8086's thread post.

What I've come to understand is that SBS2011 changed the way certs are handled from past versions (the remote.<domain>.com is now a leaf certificate), so what I've used in past and tried didn't give me the result needed.

Nathan HawkinsTechnical Lead - Network SecurityCommented:
Jim - As I stated previously. The easiest way is to setup certificate services on a windows standalone server and create the cert. You can create the CSR on the that same windows server with certificate services, if you cant do it some where else.

Windows server 2003:

Windows Server 2008 and 2012:

You will have your self signed cert in no time this way...
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerAuthor Commented:
So here's the drill:

1. "Fix My Network" took care of the one cert for exchange (4th one down in my initial screenshot).   Real easy.  Ran for a few minutes, generated a new cert, assigned the services and I was done with that.

2. I deleted #4, #5, and #6, in the screen shot in EMC after doing step 1 and then exporting a copy just to be safe.

3. That left the "sites" certificate, which was expired.  To resolve that, I:

a. Loaded the Certificates snap-in to MMC.
b. Drilled down to Personal>Certificates.
c. Right-clicked the expired certificate ("Sites").
d.  All Tasks>Advanced Operations>Request New Certificate with the Same Key.
e. Followed the prompts to duplicate the expired key.   In order to do this, I had to modify the permissions with certtmpl.msc adding Domain Controllers temporarily while I created the cert.
f. After successful certificate creation, deleted expired key.
g. Restarted IIS.
h. Went to EMC and assigned SMTP to the certificate. I did not overwrite the default SMTP certificate

Not sure if not overwriting was correct or not, but everything at this point seems to be working and functional.

NIce work! This "Fix my network" is available only in SBS 2011? How about Windows 2008 Server and 2012 Server?

Thank you in advance!

Best regards!
Jim Dettman (Microsoft MVP/ EE MVE)President / OwnerAuthor Commented:
"Fix My Network" is only available in SBS.

That's one of the things I've found with SBS and you see everywhere, which bears repeating (and I should have remembered), with SBS, you really want to use the wizards to get things done whenever you can.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.