Outlook Cert Warning
I noticed this past Friday that one of my servers had warnings (12017, 12018) saying the internal transport certificate will expire on Saturday. I ran New-ExchangeCertificate and all seemed well. This morning any users that have Outlook 2007 are seeing certificate warnings when they open Outlook. They can click through it but obviously I need to fix it. I've seen alot on technet and the forums about certificate issues and alot of confusing. Which is why i'm posting this. The servers are not exposed to the internet so these certificates are for internal use only which is why none were purchased. With that said what needs to be done to clear these warnings on the client machines. Thanks <!-- <<< -->
January 13th, 2010 5:01pm
You will need to go through the process of creating a new certificate and have it applied to your Exchange Services (Outlook anywhere, OWA, ActiveSync...)
Elie B.
MCITP: EMEA|EA|SA; MCTS: Microsoft Exchange Server 2010, Configuration;
Blog: http://blog.elieb.info
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2010 7:15pm
Hi,Did you use the self-signed certificate?You just ran the cmdlet New-ExchangeCertificate, is there any perameter with it?If you want to renew the certificate, you should run Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate -Services SMTP,POP,IMAPOtherwise, you will create a new self-signed certificate. For self-signed certificate, you need to manually import the certificate to client.Please run the cmdlet "Get-ExchangeCertificate" and post the results here.Some information share with you:
Certificate Use in Exchange Server 2007http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
Managing SSL for a Client Access Server<!---->
http://technet.microsoft.com/en-us/library/bb310795(EXCHG.80).aspx<!---->Frank Wang
January 14th, 2010 12:40pm
yes the only thing I did was run New-ExchangeCertificateI now know that it created a new one instead of renewing the existing (see below)Based on what you said should I run this?Get-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 | New-ExchangeCertificate -Services IMAP, POP, IIS, SMTPIf that will clear up the Outlook client issue what should I do with the new certificate it created? Just leave it alone?[PS] C:\>Get-ExchangeCertificate
Thumbprint Services Subject---------- -------- -------C810E9AD90DC0180C23CA56EFE32934AB0F6E9BD IP..S CN=servername4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 IP.WS CN=servername
[PS] C:\>Get-ExchangeCertificate | fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {servername, servername.domain.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=servernameNotAfter : 1/9/2011 10:00:14 AMNotBefore : 1/9/2010 10:00:14 AMPublicKeySize : 2048RootCAType : NoneSerialNumber : F33A32106CC45FA8446D608B3E79F008Services : IMAP, POP, SMTPStatus : ValidSubject : CN=servernameThumbprint : C810E9AD90DC0180C23CA56EFE32934AB0F6E9BD
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {servername, servername.domain.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=servernameNotAfter : 1/9/2010 10:20:40 PMNotBefore : 1/9/2009 10:20:40 PMPublicKeySize : 2048RootCAType : UnknownSerialNumber : 1CD4948FBC3032914DC4B04C86983DA8Services : IMAP, POP, IIS, SMTPStatus : InvalidSubject : CN=servernameThumbprint : 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2010 4:27pm
Hi,You should have run the cmdlet before last SaturdayGet-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 | New-ExchangeCertificate -Services IMAP, POP, IIS, SMTPThen Enable the certificateEnable-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4But now the certificate is expired.You have to use the new certificate, export it and import to client computer one by one.Dont' forget it next year.
Frank Wang
January 15th, 2010 6:06am
I did run the new certificate command.I'm a little confused now though. Can't I just run the command I indicated and then enable it? With the information I posted what is my next step? Which certificate should I use? If I need to export a certificate and import on the clients how is that done. Also what about new clients after this is resolved. Will they be ok?
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2010 4:28pm
I ran theseGet-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4 | New-ExchangeCertificate -Services IMAP, POP, IIS, SMTPThen Enable the certificateEnable-ExchangeCertificate 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4After doing that the original certificate still shows as invalidAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {servername, servername.domain.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=servernameNotAfter : 1/9/2010 10:20:40 PMNotBefore : 1/9/2009 10:20:40 PMPublicKeySize : 2048RootCAType : UnknownSerialNumber : 1CD4948FBC3032914DC4B04C86983DA8Services : IMAP, POP, IIS, SMTPStatus : InvalidSubject : CN=servernameThumbprint : 4C631BB6DC84C84B5542D44C49BDFCA70A56A2C4
January 17th, 2010 9:12pm
Hi,The self-signed certificate expires 12 months after Exchange 2007 is installed(the status is Invalid), the outlook 2007 clients see certificate warning. Then you must create a new certificate use cmdlet New-ExchangeCertificate to create another self-signed certificate.For domain-joined outlook 2007, you don't need to export the certificate and import it to client computer. For domain-disjoined outlook 2007, you need to export the certificate and import it to client computer.Hope I can explain it more clearly.More information:Understanding the Self-Signed Certificate in Exchange 2007http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx<!---->
Frank Wang
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 5:15am
The clients are part of the domain and I did run the New-ExchangeCertificate command and Exchange did create a new one. The issue is when the users open Outlook they are getting certificate warnings. When I look at the details of the warnings it still shows the old (now expired) certificate Thumbprint. How can I either renew the Thumbprint that expired or get the clients to look for the new one. Thats the part i'm having trouble with.Thanks for all of your help
January 19th, 2010 5:45am
Please run the cmdlet Enable-ExchangeCertificate -Thumbprint F33A32106CC45FA8446D608B3E79F008 -Services IIS and try again.Frank Wang
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 8:42am
I will try that. The last time I ran the enable command I did not list any services.I only need to list IIS? What about the others?
January 19th, 2010 8:48am
Last time you use the Get-ExchangeCertificate | fl to list the Services : IMAP, POP, SMTPIf you run the cmdlet this time , IIS will be added .Frank Wang
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 8:55am
I'm all set now.I ran the new certificate command again and then enabled the new certificate for all of the services listed in the old certificate.I then removed the certificates that were not in use.My outlook clients are no longer getting certificate warnings.Thanks for all of your help
January 19th, 2010 5:23pm