Exchange 2007 Self Signed Certificate

Couldn’t work out why my Outlook stopped working, then i worked it out .. the damm self signed cert has expired … (has it been a year already!)

So my thanks Bharat for this: but I had to add some stuff to get it work properly!!!

[PS] C:PS>Get-ExchangeCertificate

Thumbprint                                Services   Subject
———-                                ——–   ——-
B21AF4199919173F7A4D836ECE00F484EFD2E270  …W.,…
5C31EA83FC2FFE67B2BAB2136B7BC471B1C74038  IP…      CN=MSX, DC=flaphead, DC…
417E5CED6161B185A122839911E13FB4CCD82C24  IP..S      CN=msx

[PS] C:PS>Get-ExchangeCertificate -DomainName

Thumbprint                                Services   Subject
———-                                ——–   ——-
B21AF4199919173F7A4D836ECE00F484EFD2E270  …W.,…

[PS] C:PS>Get-ExchangeCertificate -DomainName | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=MSX, DC=flaphead, DC=local
NotAfter           : 17/01/2009 10:46:55
NotBefore          : 17/01/2008 10:36:55
PublicKeySize      : 1024
RootCAType         : Registry
SerialNumber       : 610843C8000000000002
Services           : IIS
Status             : DateInvalid
Subject            :, OU=Flaphead, O=Flaphead, L=London,
                      S=London, C=GB
Thumbprint         : B21AF4199919173F7A4D836ECE00F484EFD2E270

So you need to find the old cert and create a new one

[PS] C:PS>Get-ExchangeCertificate -DomainName | New-ExchangeCertificate –PrivateKeyExportable $True

Overwrite existing default SMTP certificate,
‘417E5CED6161B185A122839911E13FB4CCD82C24’ (expires 02/12/2008 20:22:37), with
certificate ‘581F669862218D36C2209DE47C899D4C758B352C’ (expires 17/01/2010
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is “Y”):a

Thumbprint                                Services   Subject
———-                                ——–   ——-
581F669862218D36C2209DE47C899D4C758B352C  …..      C=GB, S=London, L=Londo…

Now you need to enable it

[PS] C:PS>Enable-ExchangeCertificate -Thumbprint 581F669862218D36C2209DE47C899D4C758B352C -Services IIS

Sweet, now test.  I had to log on to OWA to check the cert.  I then added it to my trust root via IE.  After this Outlook worked okay!

Once your happy you can remove the old one BUT As I am a cheap skate, I need to upload the cert to my windows mobile device too … maybe I should look at getting a proper cert :-| to the theory goes that you need to export the cert

[PS] C:PS> Export-ExchangeCertificate -Path c:export.pfx -Thumbprint  AA7368BEC3BCEED86308B0EDE73368F71A02DD06 -BinaryEncoded:$true -Password:(Get-Credential).password

But this didn’t work when I added the cert to my WM6 device, agggggggghh :-o so using IIS admin I checked the Microsoft-Server-ActiveSync virtual directory and made sure the cert was okay (I had to import the exported cert to the certificate root).  Then I went to the default website and exported the cert to disk and imported that to my WM6 device.  Result at last, back to normal …. just need to remember these steps next year!!!

Note to self, install isa and get a commercial cert!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: