Exchange 2007 Self-Signed Certificate

This will probably never come up in my ventures as the Administrator here at my job, but it has come up with one of our customers. They do not have a Certificate Authority (CA) and do not pay for an outside certificate. They also use Exchange 2007. I’m not privy to all the ins and outs of their network, but they’re a standard small business with 4 or 5 servers. And it’s been 53 weeks since they installed Exchange 2007.

Why is 53 a number you should scoff at? Every 52 weeks (365 days, 12 months, 1 year, 1/10th of a decade…) you have to resign the self-signed certificate that Exchange gives itself. Why do I even need a certificate, you ask. The certificate is required for all TLS communication. Anything that’s even remotely secured uses TLS. Outlook uses TLS. If the certificate is invalid or non-existent, Outlook will refuse to send and receive emails from your Exchange server. Not good. I’m not sure why their server lasted 53 weeks and not 52, but maybe the guy got it wrong (he’s fairly technical though).

Here’s a quick and easy way of renewing your certificate:
1.) On your Exchange 2007 server, open up the Exchange Management Shell
2.) Type “get-exchangecertificate” and hit enter. This will show all installed certificates.
Type “get-exchangecertificate | fl *” to show everything about the installed certificates.
Type “get-exchangecertificate | fl services, thumbprint” to show only the services with the thumbprint for each certificate.
3.) Type “get-exchangecertificate -thumbprint thumbprint_of_cert | new-exchangecertificate
4.) Type “enable-exchangecertificate -thumbprint thumbprint_of_new_cert -services “IMAP,POP,SMTP,IIS”
5.) Test the services
6.) Remove the old certificate. Type “remove-exchangecertificate – thumbprint thumbprint_of_old_cert

You’ll have to do this every year if you use the self-signed certs. If you use a CA, the issued certificate will last anywhere from 1 to 5 years. You can also use your internal CA to issue new signed-certificates. You can use the standard website template, and then use the Exchange Management Shell to add the services to the new certificate (enable-exchangecertificate -thumbprint thumbprint -services “imap,pop,smtp”. You can leave out IIS since it *should* already be there.

**** EDIT ****

New-ExchangeCertificate -SubjectName "DC=domain, DC=com, CN=server.domain.com" -DomainName server.domain.com,mail.domain.com -IncludeAcceptedDomains -IncludeAutoDiscover -Services "SMTP" -PrivateKeyExportable $true
This updates the certificate to cover all domains used by Exchange. You can also specify other domains like mail.domain, webmail.domain etc.

Get-ExchangeCertificate
Get-ExchangeCertificate | FL
These allow you to find the thumbprint of the certificate you created.

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services SMTP,IMAP,POP,IIS
This will turn on the services for your thumbprinted certificate. Obviously you can choose which services to allow.

Export-ExchangeCertificate -Thumbprint THUMBPRINT -BinaryEncoded:$true -Path C:\SSCert.pfx -Password:(Get-Credential).password
This exports your personal certificate PFX file with the password you choose at the prompt. This can then be pushed out to users to trust this file. Check for root certificate installations for other details.

OR, if you have your own Certificate Authority:

New-ExchangeCertificate -GenerateRequest -SubjectName "o=My, o=Site, cn=MyServer.MyDomain.com" -IncludeAcceptedDomains
-Path c:\MyServer.MyDomain.com.req

Open this file using notepad or the like, and copy the information between the start and end of the certificate.
Now log into your Certificate Authority
http://CAServer/certsrv
Click Request a certificate
Submit an advanced certificate request
Submit a certifcate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Paste the certificate information from earlier
Change the Certificate Template to Web Server
Click submit

You should now have a certificate issued. You’ll probably want to download it – so select Base64 encoded and download the certificate. I always choose to download the full path AND the general cert.

Copy your newly issued/downloaded certificate to your Exchange server.
Import-ExchangeCertificate -Path c:\2009mycert.cer | Enable-ExchangeCertificate -Services SMTP,POP,IMAP,IIS

If you already have a certificate that’s the default one on Exchange, you’ll notice that the SMTP and IIS settings DO NOT STAY.
You’ll have to:
Enable-ExchangeCertificate -Thumbprint MYTHUMBPRINT -Services SMTP,IIS
Exchange will ask if you want to overwrite the current certificate with Y for yes.
You’re done!

One thought on “Exchange 2007 Self-Signed Certificate”

  1. Thanks for information. Friends reccommended to visit you. It’s very interesting. Subscribed! Want to read your blog more and more!

Leave a Reply

Your email address will not be published. Required fields are marked *