Outlook / Exchange 2010 / SBS 211 email certificate questions

I haven't dealt much with SBS Exchange / certificates.  

This network is getting this popup recently. Clicking on details, I see the certificate expired a couple weeks ago - I think that's when the users started getting the error message.

Realistically, what is the argument for paying the money to get a new certificate vs. removing the old one ( any tips on how to do that)?

This is a location that is not concerned about security - everyone in the office knows everyone else's passwords / they don't change their passwords, they are really frugal.  

How do I explain why they need / should spend the money for a new certificate (and who do you like getting them from?) or what's the downside of just removing the expired cert?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Veerappan SundaramSenior Technical ConsultantCommented:
Need more details.

  • Attach a screenshot of the expired certificate (if allowed)
  • if not, who is the certificate signer - Internal CA or Public CA? (CA = Certificate Authority)
  • what is the impact of this expired certificate?
  • How do you know this certificate is from Exchange server?
MASEE Solution Guide - Technical Dept HeadCommented:
Hi  BeGentleWithMe-INeedHelp,
Please check this article to create a new CSR command. Run this command in Exchange Shell.

Follow this to complete the pending request.

Use this to configure URLs and assign services.

Test everything, If everything works fine delete the old expired certificate using the below command.
Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can get the certificate thumbprint and expiry date using this command
get-ExchangeCertificate | fl Issuer,notafter,thumbprint

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andy MIT Systems ManagerCommented:
If the Exchange certificate has expired users may start having issues accessing emails on devices (granted Outlook you can just ignore the warning but some mobile phones for example won't connect without a valid certificate).

You won't be able to remove the old certificate without first setting up a new one (either via a self-signed certificate which needs to be manually installed onto the user machines for it to be accepted or one purchased from a certificate authority such as GoDaddy). Most third party certificate authorities have instructions on how to acquire and setup a certificate on Exchange purchased from them.

I've dealt with clients like this before who don't really care about security (well, until they get a ransomware infection and nearly lose everything) and usually they just get so sick of the pop-up message that they'll pay for the certificate just to stop that but if they do access email on mobiles inform them that emails may stop working on there without a certificate.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Pete LongTechnical ConsultantCommented:
>Realistically, what is the argument for paying the money to get a new certificate vs. removing the old one ( any tips on how to do that)?

I just paid for a certificate for my test Exchange server and it cost me 5 pounds for the year, thats just so I can do some testing, there's no excuse for self signed certificates in Exchange anymore.

Plus your Exchange is out of support soon! your next migration will be Exchange 2013 or office 365, the latter is impossible with a self signed certificate, the former needs a good understanding of Exchange under the bonnet to run a self signed cert.

BeGentleWithMe-INeedHelpAuthor Commented:
hmmmm. looking in notes I have about the server, it says 'renew self signed cert on sbs server'. back on march 2016  So it is self signed. (sorry, I should have taken a picture of the view cert page... and I thought I posted the first pic in the original post. maybe it'll show up here.

So if you don't mind dealing with a real novice:

So I'll make another self signed cert.  

MAS: That's the steps for a new self signed cert?  I vaguely remember a GUI series of steps.  But I guess PS is the latest / greatest? (funny,  going from DOS to windows, the GUI was the latest / greatest years ago : )   you say test everything - My thinking is if they say 'the error went away, that's good /we're done ; )  ?

Not possible / not  simple way to just bump out the expiration of this one?

Is there a way to make it run for longer than 2 years?

1 of 4 drives of their raid array (raid 6) was showing degraded in OMSA and I was there replacing the drive when someone showed me the error message. A good example of how they want to limp things along (right? What would you do / recommend for a server from 2011, out of warranty, old OS with 1 failing hard drive - Replace that 1 drive (and the others likely aren;t far behind) or replace the server? I've already told them that the next server won't have exchange / they need to move to o365. They are ok with that. Just want to put off that constant subscription payment if they can.

Pete - yes, I realize the cost of the cert isn't all that much.  There's the labor for me to put it in also (when it's for a client, not your test server, you don't do it gratis, right ? : )   Yeah, as a self signed cert, no cost for that. just the labor.  You also say there's no excuse for self signed certificates in Exchange anymore.  what WERE the excuses? lower issuance cost? But back to the question - what does any cert really do for you? then self signed vs. CA issued.    As Andy mentions, a self signed would need to be installed on the phones if used - certainly a nuisance.  But beyond that?  What does having a cert really do for things?

I'm just needing / wanting to be able to explain 'what are we getting for the money / why is the cert needed'

Andy - thanks for explaining it for the client view.  Self signed - OK for outlook in the office.  CA issued if you are looking to check via phones?  Which they aren't so self signed works in this case.

Again me being ignorant - so once you start with a self signed or CA cert, you can't get away from that? If you skip a self signed cert when first setting it up, things will work? Or making a self signed or supplying a CA cert is a requirement?

As a side note - a certificate for https website vs. running just http - correct me if I am wrong:

Pretty much needed now to get past the warnings on website that the site isn't secure
And that substantiates to the user that they are on the Paypal.com website (although a sleaze company could get get the domain pypal.com and get a cert to verify that you really are on pypal.com (for people that mistype and just see the lock).
AND the data between the user and the website are encrypted?  Http is not?  

Does the exchange cert also encrypt the data?  Again, for a company like this with lax security, they don't care about their email data on their LAN being encrypted or not.

Pete LongTechnical ConsultantCommented:
>what WERE the excuses? lower issuance cost?

The first digital certificate I put on Exchange (2003 I think it was) cost nearly two thousand pounds! (for essentially a text file!)
People have a mind set of 'why pay for something I can generate myself' which is fair enough if it is as expensive as it used to be.

A certificate for 5 pounds will ensure all your remote devices will work without any intervention or errors, your external OWA and EWS works without errors (if your public DNS is right)

I will charge you 95 pounds an hour to come and setup a domain PKI environment, Proper CRL and OCSP publishing, Setup web certificate enrolment, create a web server template, or a self signed wildcard I can do that also. Will take me about 5-6 hours. so £575.00 for my time, then the support overhead of putting root certificates on external devices, possibly setting up SCEP for iPads etc. Or a fiver for a certificate that just works and you can import with a couple of PowerShell commands?

I know what I would choose? Just because something looks free does not mean it comes without a cost? migrate all your servers to CentOS if you don't believe me ;)

Just my 0.02p
BeGentleWithMe-INeedHelpAuthor Commented:
Oh totally - pay me now or pay me later.  I was telling them if they want to get o365 direct from Microsoft, they would have to deal with Microsoft for support.

I resell through Appriver.  It'll cost a little more but better service.

As for the certificate issue:  I saw people say run fix my network wizard. It said the cert was expired, then said it fixed it. but expiration is still 3/24/18.  Someone in an old thread suggested rebooting server to have it update the date but no reply after that about that solving it.  Other people say 'fix my network' never renewed the cert for them.

I'll reboot the server tonight. Think that's all it needs to extend the expiration?
Pete LongTechnical ConsultantCommented:
This is why I dislike SBS also :) Its been a while but if you replace the cert in Exchange then  run the wizard I think that will solve the problem...
BeGentleWithMe-INeedHelpAuthor Commented:
Some more details:

MAS suggested I restart the Microsoft Exchange Transport service.  Still showed the old cert in SBS console.

Went into IIS manager, under the server, server certs, I deleted all theold expired certs.

Back in sbs console, now it says no cert is bound to the IIS website.

Did some poking around, and found pages talking about exporting the cert into a file, then import it into 'add trusted cert wizard'

Running that wizard, I said I wanted to use a cert already on the server, chose that 1 that I made today and didn't need the exported file.

Things look good now.

I guess all this would be worth it if they were really using the server - phones, etc.  But the way they use it - people come to work / wired desktops / they go home and do nothing else work related... this seems like a time suck. Although good experience for other situations.  If I a) remember this and b) things don't change with a new OS : )
BeGentleWithMe-INeedHelpAuthor Commented:
did they get away from assisted answer? I can only choose best?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.