Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wideThe self-signed certificate meets an important need - securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It's not recommended to use these for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).
However, should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these need to be renewed - just as you would renew certificates from 3rd-party or in-house CAs.
To renew the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:Get-ExchangeCertificate -domain "e12postcard.e12labs.com" | fl
Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.Get a new certificate with a new expiration date:
Get-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate
If the existing certificate is being used for SMTP, you will get the following prompt:Confirm
Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):
Thumbprint Services Subject
---------- -------- -------
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E ..... CN=E12Postcard
Get-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" | fl
The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP - IIS is missing. To enable the certificate for IIS:
Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS
This enables the certificate for IIS (in addition to any other services it may already be enabled for - it adds to existing values of the services property).
Test services are working with the new certificate. If it works as expected, the old certificate can be removed:Remove-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F"
Related posts:- Outlook Anywhere and Exchange's Self-Signed Certificate
- Which name should I use as Common Name for my UC certificate?
- DigiCert: A Certificate Authority with excellent customer service
Labels: Administration, Exchange Server 2007, Exchange Shell, OWA, Security, SMTP
4 Comments:
Hi,
Thanks for the great outline!
Is this the same on an edge server or do you have to resubscribe for that?
Do you know if you can renew a CA cert through IIS or do you have to use the new-exchangecertificate cmd?
Thanks again!!
Thank you for the article. While playing with self-signed certificates I ran into the following problem. It happens for all new certificates. Any idea why it happens and how it can be resolved?..
- - - - - - - - - - - - - - - - - -
>>> New-ExchangeCertificate -GenerateRequest -domainname mydomaain.com -privatekeyexportable:$true -path c:\cert_myserver.txt
Thumbprint Services Subject
---------- -------- -------
433157A3B9C8C874591A5B35CF91719ADC61B427 ..... CN=mydomain.com
>>> Enable-ExchangeCertificate -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services "IIS"
Enable-ExchangeCertificate : The certificate with thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 was not found.
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services "IIS"
Do you see the certificate when you use the Get-ExchangeCertificate command?
Sorry Bharat, just got back from vacation.
Yes, strange thing is - I see it using the Get-ExchangeCertificate command, but it doesn't let me enable it!
Any idea what might be wrong?..
Post a Comment
Links to this post:
Create a Link
<< Home