Saturday, April 25, 2009

When your self-signed E2K7 certificate expires

We worked with a client who saw a self-signed certificate error (mismatch, expiration) in their lab. It took a while to figure out how to update the self-signed cert. You have to create/update the certificate, enable it, and restart IIS. Here are the steps we took (using Exchange Management Shell):

There are two ways to generate a new cert. One is to add another year to the existing cert, the other is to create a new cert.

1) a) Add one year to the existing (expired) cert:

Get the thumbprint of the expired certificate:

Get-ExchangeCertificate -DomainName fl NotAfter,Thumbprint,certificatedomains

Then use that cert's thumbprint to generate a new cert

Get-ExchangeCertificate -Thumbprint xxx New-ExchangeCertificate

1) b) --or--Create a new cert:

New-ExchangeCertificate -PrivateKeyExportable $True -Services "IMAP, POP, IIS, SMTP" -SubjectName "cn=yourOutlookAnyWhereExternalDomainName"

Once you create the cert, you'll be given a thumbprint. Use that to enable the cert:

2) Enable-ExchangeCertificate -Thumbprint [thethumbprint] -services:"IMAP, POP, IIS, SMTP"

3) Stop/Start IIS:

i.e., iisrestart /start
net stop "World Wide Web Publishing Service"

net start "World Wide Web Publishing Service"

net stop "FTP Publishing Service"net start "FTP Publishing Service"

net stop "Simple Mail Transport Protocol (SMTP)"

net start "Simple Mail Transport Protocol (SMTP)"

Install the certificate on your client Windows machine via Internet Explorer:

4) Tools / Internet Options / Content / Certificates / Trusted Root Certificate Authorities / Import


No comments: