Exchange 2010 and Exchange 2007 Setup creates a self-signed certificate for the server to protect communication with services like SMTP, IMAP, POP, IIS and UM. In Exchange 2007, the certificate is issued for a period of one year. In Exchange 2010, the certificate validity period is raised to five years.
The self-signed certificate meets an important need – securing communication paths for Exchange services by default. This is a great development – it ensures that data will not be transferred in the clear by default and all communication is encrypted.
Nevertheless, one should treat these certificates as temporary. Although self-signed certificates work perfectly well for internal SMTP communication between Hub Transport servers, and between Hub Transport and Edge Transport servers, it’s not recommended to use them for any client communication on an ongoing basis. For most deployments, you will end up purchasng a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).
Self-signed certificates are great for securing communication by default and handy for test environments. For client communication in production environments, it’s recommended to use certificates signed by a trusted CA.
Should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these will need to be renewed when they expire — just as you would renew certificates from 3rd-party or in-house CAs.
This command renews the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:
Get-ExchangeCertificate -domain “e12postcard.e12labs.com” | fl
Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.
Get a new certificate with a new expiration date:
Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate
New-ExchangeCertificate -PrivateKeyExportable $true
If the existing certificate is being used as the default SMTP certificate, you will get the following prompt. The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization.
Confirm
Overwrite existing default SMTP certificate,
‘C5DD5B60949267AD624618D8492C4C5281FDD10F’ (expires 8/22/2008 7:20:34 AM), with certificate ’3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E’ (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):
Type y to continue. A new certificate is generated.
Thumbprint Services Subject
———- ——– ——-
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E ….. CN=E12Postcard
The new certificate is generated and enabled. Examine the new certificate:
Get-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” | fl
The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing.
You can enable the certificate for IIS (in addition to any other services it may already be enabled for — it adds to existing values of the certificate’s Services property).
Note: Once you enable a certificate for a particular Exchange Server service, there’s no way to disable it (for that service). You must remove the certificate (if the certificate is CA-issued, export the certificate along with its private key before you do so), import it again and enable it for the services you need to. This is generally not a concern with self-signed certificates— you can generate additional self-signed certificates and optionally remove the old one, since there’s no CA interaction or costs involved.
Setting the Services parameter to None does not do anything in this case.
To enable the certificate for IIS:
Enable-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” -services IIS
Test services are working with the new certificate. If it works as expected, you can remove the old certificate using the EMC or the Remove-ExchangeCertificate cmdlet from the Shell:
Remove-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F”
Related posts:
{ 38 comments… read them below or add one }
Hi,
Thanks for the great outline!
Is this the same on an edge server or do you have to resubscribe for that?
Do you know if you can renew a CA cert through IIS or do you have to use the new-exchangecertificate cmd?
Thanks again!!
Thank you for the article. While playing with self-signed certificates I ran into the following problem. It happens for all new certificates. Any idea why it happens and how it can be resolved?..
- – - – - – - – - – - – - – - – - -
>>> New-ExchangeCertificate -GenerateRequest -domainname mydomaain.com -privatekeyexportable:$true -path c:\cert_myserver.txt
Thumbprint Services Subject
———- ——– ——-
433157A3B9C8C874591A5B35CF91719ADC61B427 ….. CN=mydomain.com
>>> Enable-ExchangeCertificate -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services “IIS”
Enable-ExchangeCertificate : The certificate with thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 was not found.
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services “IIS”
Do you see the certificate when you use the Get-ExchangeCertificate command?
Sorry Bharat, just got back from vacation.
Yes, strange thing is – I see it using the Get-ExchangeCertificate command, but it doesn’t let me enable it!
Any idea what might be wrong?..
I have a question concerning renewing the certificate from an outside authority. Let’s say this certificate was from Entrust and you wanted to renew it. Would the correct command be Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate -GenerateRequest -privatekeyexportable $true -Path c:\certificates\cerreq.req to renew?
Hello…I was just wondering if my last comment was correct as I have to renew my certificate soon. Thanks for the help!
Hello,
I followed the above instructions and I’m not sure this worked correctly. After running Enable-ExchangeCertificate -thumbprint “…” -Services IIS
If I run Get-ExchangeCertificate, it shows my new certificate as being enabled ONLY for IIS… I’ve tried running Enable-ExchangeCertificate -services SMTP (POP, IMAP) with no luck. Email still works, but I’m not sure how to check if Exchange is still using my old certificate.
Please let me know how to check if I am using the new certificate, as well as how to revert so I can try your instructions again.
Thanks!
Hi,
Thank you, this is a superb article. I have a problem, our exchange server does not have a domain name and it works on an IP address. E.f. we access ms outlook using http://123.456.789.123/owa and the outlook anywhere uses this IP. Can you pls advice me on how to create the certiciate for the local domain i.e. exchane.domain.local and IP address.
Thanks & Regards,
Sudhish
Hi –
I have imported a our new certificate and would like to enable it for "SMTP, IMAP, IIS, POP"
When I go to enable I get a big WARNING that I will not be able to use my TLS connectors??
[PS] C:\Documents and Settings\oscar.meyer>
Enable-ExchangeCertificate -ThumbPrint [XXXXX-THUMBPRINT-XXXXXX] -Services "SMTP, IMAP, POP, IIS"
WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with
thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence. The
following connectors match that FQDN: Default MAIL1, Client
MAIL1.
Confirm
Overwrite existing default SMTP certificate,
'AAA-THUMBPRINT-AAAAAAA' (expires 1/01/2XXX 2:23:15 PM),
with certificate 'XXXXX-THUMBPRINT-XXXXXX' (expires 2/XX/2XXX
12:34:13 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):
I did not complete the command – the whole purpose of the CERT is for our TLS connectors to external clients – Do I just have to re-create my connectors once I have enabled the CERT?
Please advise.
Thanks.
-Johnny
Great Article Thank you so much
Luke
Thank you. Worked a treat. Had been sratching my head over this one!
http://paulhale.com
http://twitter.com/paulhale
I have followed step-1 and 2 and renew the certificate. But forgot step-3 to remove expireed certificate. Now, the issue is remains the same. Our outlook clients are still recieving same securiy certificate message.Is it because I did not delete expired certificate.
Thanks.
Thanks a lot guys. Tried the solution posted above and it worked fine for our Exchange 2007 server.
Thanks heaps this worked and now I don't get those event logs anymore relating to invalid Certificates
Hi Bharat,
Maybe you could help me i have my certificate configured as you discribed hier. my user a having this error offlineaddressbookdata can not be found the URL can not befound 0X8004010f.
Using out of office assistant they get the error server is not available
thanks
Bharat,
Thanks for the post. I renewed my cert a month ago, forgot to add IIS. Rebooted this weekend and no webmail. Your post got me back up fast.
Thank you,
Mark
You saved my life – champion.
Excuse me for being such a novice, but what program are you using to do this? Tiny Get? It appears that a couple of peices of this are missing, will anybody please let me know how to accomplish this?
Thank you
These commands are all run from the Exchange Management Shell, aka, Powertoys with the Exchange Extensions….
Can any one guide me how to reinstall default exchange ceritificate after installing third pary certification expiry, because i don't want to pruchse more
Hi,
can anyone guide me how to install default exchange certificate after expiry of third party certificate because i don't want to purchase more.
thanks,
John..
Is your problem solved because me too facing same problem. please let me what you did to solve…
Thanks for this article. Worked a treat!
Worked Perfectly… !! Thnx Mate!
Thanks for a great write up
for anybody that needs instructions:
click on Start and type Exchange Management Shell in the Search field above Start then click on it…
Followed the instructions, was very easy thanks. However now my users are getting the “The security certificate was issued by a company you have not chosen to trust…” Is there a way to remotely add that certificate to users’s trusted area?
Thanks!
Thanks a lot.
Now I know why I cannot use -services none to disable the certificate.
Thanks Mate .You have very good knowledge .
keep it up .
Dear Bharat,
I performed the steps you described. With MMC I exported the certificate, and I imported the certificate on my ISA server Local computer, personal and trusted.
I changed the OWA rule in the ISA server fo the listener to the correct valid certificate.
Now my users still get the message “Error Code: 500 Internal Server Error. The received certificate has expired. (-2146893016) ”
When I watch the certificate at the ISA server it’s valid.
But I did’nt perform the deletion of the invalid certificates as you described under step number 3.
Could this be the problem for my users?
Are services assigned to the new certificate? If so, the old certificate shouldn’t be used, even if installed.
Regardless, you can remove old/expired certificates.
This seemed to screw up SBS 2008 – I dont think you are meant to use this procedure for SBS. If you do OWA will fail and you have to reset various things which were a real pain to find and then you get a Outlook certificate name error which is just as big a pain to fix.
For SBS the advice is to use the ‘Fix my network’ wizard I think.
Worked like a charm, thanks!
Can someone please tell me the roll back plan if this all goes wrong?
thanks
Thanks for the post. I still haven’t figured out how to extend the self-signed cert for more than one year, so you don’t have to repeat the process every year.
Can someone shed some light on how to accomplish that? TIA
For Certification Authority-signed certificates, you can specify when requesting from the CA. For self-issued certificates, the one year certificate validity period is hard-coded in Exchange 2007. In Exchange 2010, self-signed certificates are valid for 5 years.
Very good article, saved lots of time. Thanks
worked fine for me (SBS 2008)
thanks
THANK YOU!
This really saved my skin…
{ 9 trackbacks }