Hi, My certificate recently expired so I recreated a new one: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {hubcas.hostname.co.uk, webmail.hostname.co.uk, autodiscover.hostname.co.uk, mail1.hostname.co.uk, mail2.hostname .co.uk, hubtransport1.hostname.co.uk, hubtransport2.hostname.co.uk, exchange.hostname.co.uk, exchange1.hostname.co.uk, exchange2.hostname.co.uk} HasPrivateKey : True IsSelfSigned : True Issuer : CN=hubcas.hostname.co.uk NotAfter : 04/04/2016 11:20:02 NotBefore : 04/04/2011 11:20:02 PublicKeySize : 2048 RootCAType : None SerialNumber : 7D0DA6EFBE87BDB34B55D8A6921AADA0 Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=hubcas.hostname.co.uk Thumbprint : B1755D84F81335D1E58789C3C9239E7C4AD48909 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule} CertificateDomains : {hostname-HUBTRANSPORT1-CA} HasPrivateKey : True IsSelfSigned : True Issuer : CN=hostname-HUBTRANSPORT1-CA, DC=hostname, DC=co, DC=uk NotAfter : 30/03/2014 16:21:05 NotBefore : 30/03/2009 16:11:06 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 476CA49ECE8EA490460329CAEDC97D72 Services : None Status : Valid Subject : CN=hostname-HUBTRANSPORT1-CA, DC=hostname, DC=co, DC=uk Thumbprint : C2541573C2D1E8CBF943F3D34A69C878A8AB296A But when the users use outlook they get this security popup. files.me.com/phil.pearce/ld8gg3 If i look at the details, it is the old certificate as the date has expired. I have to admit its been around 4 years since I did this last so I may have forgotten the next steps. Can anyone point me in the right direction? Thanks Phil

Hi, I will explain the whole renewing stuff in step-by step for Exchange 2007. So you may follow the required steps and can remember for the next time :) If you are in Exchange 2010, follow the article published by myself in my forums here: http://windowsadmin.info/viewtopic.php?f=20&t=180 1. Run in shell: New-ExchangeCertificate -GenerateRequest -Path c:\mynewssl.csr -KeySize 1024 -SubjectName “c=IN, s=KER, l=MyCompany, ou=IT, cn=mail.mydomain.com” -PrivateKeyExportable $True c-Country name, s-State, I-Coumpany Name, ou- Ou in company which handles certificate, cn-identical name to the mail url 2. Check c:\mynewssl.csr for the CSR and send this file to the SSL provider. The company will send you the CRF file, may be some alphanemeric text. Copy the entire text in to a text file, say newssl.txt and rename it as newssl.cer 3. Copy the file to CAS server 4. Remove the existing certificate: Run the cmdlet: Get-ExchangeCertficate |fl and copy the Thumbprint of the existing one 5. Run Remove-ExchangeCertificate -thumbprint "%THUMBPRINT%" and remove the existing one 6. Import the new one: Import-ExchangeCertificate -path newssl.cer –FriendlyName “mail.mydomain.com” 7. Notedown the thumbprint 8. Run Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint "%THUMBPRINT%" to enable it for the services listed here 9. Check the Autodiscovery is okay: Get-ClientAccessServer -Identity CASServer | FL . If it lists something wrong, set the autodiscovery: Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.mydomain.com/Autodiscover/Autodiscover.xml 10. Run the following commands to fix your internalURLs so your Outlook client can successfully take advantage of your web distribution services: Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.mydomain.com/EWS/Exchange.asmx -BasicAuthentication:$true Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.mydomain/OABRegards from www.windowsadmin.info

Thanks I am using 2007. Dont I need to have all the domains like in the example? Also I dont have an SSL provider so I must have done this another way?Phil

Hi, These are actually the required domain names for Exchange 2K7. Try it as per your requirement. Regards from www.windowsadmin.info

Ok, I assume this is all one line New-ExchangeCertificate -GenerateRequest -Path c:\mynewssl.csr -KeySize 1024 -SubjectName “c=IN, s=KER, l=MyCompany, ou=IT, cn=mail.mydomain.com” -PrivateKeyExportable $True c-Country name, s-State, I-Coumpany Name, ou- Ou in company which handles certificate, cn-identical name to the mail url I have to admit I cant remember doing this before. What should I do about the SSL part as we dont use anyone for this?Phil

Run this much New-ExchangeCertificate -GenerateRequest -Path c:\mynewssl.csrRegards from www.windowsadmin.info

Thanks Ok, I'm going to start this shortly.. In this part: 2. Check c:\mynewssl.csr for the CSR and send this file to the SSL provider. The company will send you the CRF file, may be some alphanemeric text. Copy the entire text in to a text file, say newssl.txt and rename it as newssl.cer I generate the csr via the above post, but how do I get the CRF file?Phil

Hi, Next is all about purchasing an SSL certificate. Find a suitable root certification authirity like verisign,twate, godaddy etc..and purchase CRF after submitting the CSRRegards from www.windowsadmin.info

I have a question, this is for my internal users, why do i need to by a SSL certificate provided by an authority? Im sure I didnt do this before and its been working fine. Just expired on the 01/04/11. Phil

Hi Phil, Then you may use a self signed certificate. 1. Remove the existing certificate: Run the cmdlet: Get-ExchangeCertficate |fl and copy the Thumbprint of the existing one 2. Run Remove-ExchangeCertificate -thumbprint "%THUMBPRINT%" and remove the existing one 3. Run in shell: New-ExchangeCertificate . This will create a self signed certificate. Run Get-ExchangeCertficate |fl and copy the Thumbprint 4. Run Enable-ExchangeCertificate -thumbprint “"%THUMBPRINT%” -services IIS to enable it Regards from www.windowsadmin.info

This is the exact process I did. But still the messagebox appears. :(Phil

Hi, Are you using EDGE Servers? In this case, you need a EDGE sync between CAS and EDGE as there is new stuffRegards from www.windowsadmin.info

No edge servers. 2 clustered mailbox servers, 2 hub / cas servers infront of that is an ironport mail appliance. Do i have to import this certificate into the root authority?Phil

Hi Phil, Please do "Test E-Mail AutoConfiguration" on client (select "Use AutoDiscover") . The clients are domain-joined ones, right? What's the results of Get-ExchangeCertificate | fl now? Please also try to delete the old certificates in the IIS or Certificate MMC on the Exchange server. If you create a new mailbox or renew Outlook profile, does it work? Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Test E-Mail Auto Configuration =Unable to determine settings AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {hubcas.hostname.co.uk, webmail.hostname.co.uk, autodiscover.hostname.co.uk, mail1.hostname.co.uk, mail2.hostname .co.uk, hubtransport1.hostname.co.uk, hubtransport2.hostname.co.uk, exchange.hostname.co.uk, exchange1.lcpl c.co.uk, exchange2.hostname.co.uk} HasPrivateKey : True IsSelfSigned : True Issuer : CN=hubcas.hostname.co.uk NotAfter : 04/04/2016 11:20:02 NotBefore : 04/04/2011 11:20:02 PublicKeySize : 2048 RootCAType : None SerialNumber : 7D0DA6EFBE87BDB34B55D8A6921AADA0 Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=hubcas.hostname.co.uk Thumbprint : B1755D84F81335D1E58789C3C9239E7C4AD48909 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule} CertificateDomains : {hostname-HUBTRANSPORT1-CA} HasPrivateKey : True IsSelfSigned : True Issuer : CN=hostname-HUBTRANSPORT1-CA, DC=hostname, DC=co, DC=uk NotAfter : 30/03/2014 16:21:05 NotBefore : 30/03/2009 16:11:06 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 476CA49ECE8EA490460329CAEDC97D72 Services : None Status : Valid Subject : CN=hostname-HUBTRANSPORT1-CA, DC=hostname, DC=co, DC=uk Thumbprint : C2541573C2D1E8CBF943F3D34A69C878A8AB296A This is the only entry as I removed the old one. THe certificates on IIS server files.me.com/phil.pearce/5w5iiw Phil

Certificate dialogue box, when I try to connect files.me.com/phil.pearce/o1kc95 Also I should have mentioned that I have 2 Hubcas servers in a NLB. the above was to do with one. the below is for the 2nd. When I went onto the 2nd hubtransport I found these certificates AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypto KeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {hubcas.hostname.co.uk, webmail.hostname.co.uk, autodiscover.hostname.co.uk, mail1.hostname.co.uk, m ail2.hostname.co.uk, hubtransport1.hostname.co.uk, hubtransport2.hostname.co.uk, exchange.hostname.c o.uk, exchange1.hostname.co.uk, exchange2.hostname.co.uk} HasPrivateKey : True IsSelfSigned : False Issuer : CN=hostname-HUBTRANSPORT1-CA, DC=hostname, DC=co, DC=uk NotAfter : 01/04/2011 11:59:44 NotBefore : 01/04/2009 11:59:44 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 19A2B01E000000000007 Services : IMAP, POP, IIS, SMTP Status : Invalid Subject : CN=hubcas.hostname.co.uk, OU=IT, O=hostname, L=Bath, S=Avon, C=GB Thumbprint : D91CEAD0BA826467DA8CDD7044B0EEEDBF2F88DA AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypto KeyAccessRule} CertificateDomains : {hubtransport1.hostname.co.uk, hubtransport2.hostname.co.uk, HUBCAS.hostname.co.uk, autodiscover. hostname.co.uk} HasPrivateKey : True IsSelfSigned : False Issuer : CN=hostname-HUBTRANSPORT1-CA, DC=hostname, DC=co, DC=uk NotAfter : 31/03/2011 14:42:43 NotBefore : 31/03/2009 14:42:43 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 15119334000000000005 Services : IMAP, POP Status : Invalid Subject : CN=hubtransport1.hostname.co.uk Thumbprint : 9C02373FD9BB87826F1615E3727EEE93B12521F7 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypto KeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Access Control.CryptoKeyAccessRule} CertificateDomains : {HubTransport2, HubTransport2.hostname.co.uk} HasPrivateKey : True IsSelfSigned : True Issuer : CN=HubTransport2 NotAfter : 15/01/2010 13:12:15 NotBefore : 15/01/2009 13:12:15 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 100126D6A2C6FCA549F5E2B3B79724CE Services : SMTP Status : Invalid Subject : CN=HubTransport2 Thumbprint : D95EB7BFBB295DBB768D403C55FE897191B3C053 Phil

Certificate dialogue box, when I try to connect files.me.com/phil.pearce/o1kc95Phil

Would this be what i need to do from here New-ExchangeCertificate -GenerateRequest -FriendlyName "ExchangeSSL2011" -domainName hubcas.hostname.co.uk, webmail.hostname.co.uk, autodiscover.hostname.co.uk, mail1.hostname.co.uk, mail2.hostname.co.uk, hubtransport1.hostname.co.uk, hubtransport2.hostname.co.uk, exchange.hostname.co.uk, exchange1.hostname.co.uk, exchange2.hostname.co.uk -path c:\temp\exchangeSSL2011.txt Remove existing thumbprint? Enable-ExchangeCertificate -thumbprint xxxxx -Services "POP,IMAP,SMTP,IIS" On Second HubCas Server remove all certificates (as above post) Import the new one this 2nd Hubcas Server: Import-ExchangeCertificate -path c:\temp\exchangeSSL2011.txt Notedown the thumbprint Run Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint "%THUMBPRINT%" to enable it for the services listed here Check the Autodiscovery is okay: Get-ClientAccessServer -Identity CASServer | FL . If it lists something wrong, set the autodiscovery: Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.mydomain.com/Autodiscover/Autodiscover.xml Run the following commands to fix your internalURLs so your Outlook client can successfully take advantage of your web distribution services: Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.mydomain.com/EWS/Exchange.asmx -BasicAuthentication:$true Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.mydomain/OAB ???? Phil

Import the new one this 2nd Hubcas Server: Import-ExchangeCertificate -path c:\temp\exchangeSSL2011.txt Hi Phil, I'm afraid this is not right. You can import an existing certificate and private key from a PKCS #12 (.pfx or .p12) file. Import-ExchangeCertificate http://technet.microsoft.com/en-us/library/bb124424(EXCHG.80).aspx So please run the cmdlet on 1st hubcas: New-ExchangeCertificate -FriendlyName "ExchangeSSL2011" -domainName hubcas.hostname.co.uk, webmail.hostname.co.uk, autodiscover.hostname.co.uk, mail1.hostname.co.uk, mail2.hostname.co.uk, hubtransport1.hostname.co.uk, hubtransport2.hostname.co.uk, exchange.hostname.co.uk, exchange1.hostname.co.uk, exchange2.hostname.co.uk -PrivateKeyExportable $true Enable the service, then remove any other valid/invalid certificates. Export the certificate from the 1st hubcas to pfx file, Export-ExchangeCertificate http://technet.microsoft.com/en-us/library/aa996305(EXCHG.80).aspx After that, import the pfx file to 2nd hubcas server. Remove any other valid/invalid certificates. Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sir, You are a star. Phil

Many thanks, a further question, when i try and remove the existing certificate I get Remove-ExchangeCertificate : The internal transport certificate cannot be removed because that would cause the Microsof t Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate. Parameter name: Thumbprint At line:1 char:27 this ok to proceed? I assume after the creation then I restart the transport service?Phil