Search This Blog

Sunday, January 16, 2011

After you apply Exchange 2007 Service Pack 3 - replace your self-signed server certificate

Even though your services will not be interrupted with an expired server certificate. It is recommended that you replace you invalid/expired cert to eliminate the error messages logged in your eventviewer and also your monitoring agents like SCOM.
If you're running Exchange SP1 or SP2 then your self-signed certificate will only be valid for one year. After you've applied Exchange SP3, then your self-signed cert will be valid for 5 ye
ars.

Using your Exchange Powershell type the following command:
get-exchangecertificate | fl


Copy the thumbprint of your current certificate and paste it into the following command:
get-exchangecertificate "01CFFAA6076D0379DCEE94AE1CB777FDF8012817" | new-exchangecertificate

Again - type: get-exchangecertificate | fl (this will show you both certs)

Your old cert will have IMAP, POP, IIS enabled for
its services, have a cert valid for only 1 year and is most likely invalid.

Your new cert will have IMAP, POP enabled for its services, have a cert valid for 5 years and will be valid.

Now....you have to enable the service IIS for your new cert or you will not be able to view the new cert in IIS (inetmgr.msc).

Type the following command to enable the IIS service for your new cert:
Enable-ExchangeCertificate -thumbprint "4E9D9897E4145A47620FF6C08EAA3B1B991EB64A" -service iis

To remove your old cert, type the following command:
remove-exchangecertificate -thumbprint "01CFFAA6076D0379DCEE94AE1CB777FDF8012817"

Type the following command to make sure you old cert has been removed and that IIS has been enabled on your new cert:
get-exchangecertificate | fl

This is what the final results should look like:













At this time you should do an iisreset to apply the settings. Type the following command:
iisreset

Here comes the important part. There is a bug when you enable the cert, in that when you enable the service IIS, the setting doesn't always apply. When you perform an iisreset you should also do another get-exchangecertificate | fl to make sure the IIS service is still enabled for your cert. In some cases you will have to close your powershell session, start a new powershell session and perform another iisreset.

If you perform ssl offloading on your load balancer, firewall or ISA server, then you need to into your IIS, go to the properties of your 'default web site', select the 'directory security' tab and go down to 'edit'. Deselect 'Require secure channel (SSL)' and click 'ok' to close the window, click 'ok' one more time to close IIS. If you get prompted to propogate the settings down to other virtual directories, simply click 'cancel'






















From the command prompt perform an iisreset. Check one more time to make sure the 'Require secure channel (SSL)' has not been enabled again (this does happen).


No comments: