This will probably never come up in my ventures as the Administrator here at my job, but it has come up with one of our customers. They do not have a Certificate Authority (CA) and do not pay for an outside certificate. They also use Exchange 2007. I’m not privy to all the ins and outs of their network, but they’re a standard small business with 4 or 5 servers. And it’s been 53 weeks since they installed Exchange 2007.<\/p>\n
Why is 53 a number you should scoff at? Every 52 weeks (365 days, 12 months, 1 year, 1\/10th of a decade…) you have to resign the self-signed certificate that Exchange gives itself. Why do I even need a certificate, you ask. The certificate is required for all TLS communication. Anything that’s even remotely secured uses TLS. Outlook uses TLS. If the certificate is invalid or non-existent, Outlook will refuse to send and receive emails from your Exchange server. Not good. I’m not sure why their server lasted 53 weeks and not 52, but maybe the guy got it wrong (he’s fairly technical though).<\/p>\n
Here’s a quick and easy way of renewing your certificate:
\n1.) On your Exchange 2007 server, open up the Exchange Management Shell
\n2.) Type “get-exchangecertificate” and hit enter. This will show all installed certificates.
\nType “get-exchangecertificate | fl *” to show everything about the installed certificates.
\nType “get-exchangecertificate | fl services, thumbprint” to show only the services with the thumbprint for each certificate.
\n3.) Type “get-exchangecertificate -thumbprint thumbprint_of_cert | new-exchangecertificate
\n4.) Type “enable-exchangecertificate -thumbprint thumbprint_of_new_cert -services “IMAP,POP,SMTP,IIS”
\n5.) Test the services
\n6.) Remove the old certificate. Type “remove-exchangecertificate – thumbprint thumbprint_of_old_cert<\/p>\n
You’ll have to do this every year if you use the self-signed certs. If you use a CA, the issued certificate will last anywhere from 1 to 5 years. You can also use your internal CA to issue new signed-certificates. You can use the standard website template, and then use the Exchange Management Shell to add the services to the new certificate (enable-exchangecertificate -thumbprint thumbprint -services “imap,pop,smtp”. You can leave out IIS since it *should* already be there.<\/p>\n
**** EDIT ****<\/p>\n
OR, if you have your own Certificate Authority:<\/p>\n \n You should now have a certificate issued. You’ll probably want to download it – so select Base64 encoded and download the certificate. I always choose to download the full path AND the general cert.<\/p>\n Copy your newly issued\/downloaded certificate to your Exchange server. If you already have a certificate that’s the default one on Exchange, you’ll notice that the SMTP and IIS settings DO NOT STAY. This will probably never come up in my ventures as the Administrator here at my job, but it has come up with one of our customers. They do not have a Certificate Authority (CA) and do not pay for an outside certificate. They also use Exchange 2007. I’m not privy to all the ins and … Continue reading Exchange 2007 Self-Signed Certificate<\/span> New-ExchangeCertificate -SubjectName \"DC=domain, DC=com, CN=server.domain.com\" -DomainName server.domain.com,mail.domain.com -IncludeAcceptedDomains -IncludeAutoDiscover -Services \"SMTP\" -PrivateKeyExportable $true<\/code>
\nThis updates the certificate to cover all domains used by Exchange. You can also specify other domains like mail.domain, webmail.domain etc.<\/p>\nGet-ExchangeCertificate<\/code>
\nGet-ExchangeCertificate | FL<\/code>
\nThese allow you to find the thumbprint of the certificate you created.<\/p>\nEnable-ExchangeCertificate -Thumbprint THUMBPRINT -Services SMTP,IMAP,POP,IIS<\/code>
\nThis will turn on the services for your thumbprinted certificate. Obviously you can choose which services to allow.<\/p>\nExport-ExchangeCertificate -Thumbprint THUMBPRINT -BinaryEncoded:$true -Path C:\\SSCert.pfx -Password:(Get-Credential).password<\/code>
\nThis exports your personal certificate PFX file with the password you choose at the prompt. This can then be pushed out to users to trust this file. Check for root certificate installations for other details.<\/p>\nNew-ExchangeCertificate -GenerateRequest -SubjectName \"o=My, o=Site, cn=MyServer.MyDomain.com\" -IncludeAcceptedDomains
\n-Path c:\\MyServer.MyDomain.com.req<\/code>
\nOpen this file using notepad or the like, and copy the information between the start and end of the certificate.
\nNow log into your Certificate Authority
\nhttp:\/\/CAServer\/certsrv
\nClick Request a certificate
\nSubmit an advanced certificate request
\nSubmit a certifcate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
\nPaste the certificate information from earlier
\nChange the Certificate Template to Web Server
\nClick submit<\/p><\/blockquote>\n
\nImport-ExchangeCertificate -Path c:\\2009mycert.cer | Enable-ExchangeCertificate -Services SMTP,POP,IMAP,IIS<\/code><\/p>\n
\nYou’ll have to:
\nEnable-ExchangeCertificate -Thumbprint MYTHUMBPRINT -Services SMTP,IIS<\/code>
\nExchange will ask if you want to overwrite the current certificate with Y for yes.
\nYou’re done!<\/p>\n","protected":false},"excerpt":{"rendered":"