Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Expired Exchange 2007 Certificate

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

Cast your Vote
Poor Excellent

If your Exchange 2007 is nearing its first birthday, there is a good chance you will soon come across some event log warnings concerning the expiry of an internal transport certificate. If you ignore these, users will start chasing you!!

If your Exchange 2007 is nearing its first birthday, there is a good chance you will soon come across some event log warnings concerning the expiry of an internal transport certificate. If you ignore these, users will start chasing you!! Outlook 2007 is now popping an expired certificate warning dialog.

With so many changes, it is easy to overlook some of the less shiny Exchange 2007 improvements, especially if you haven't been using earlier Exchange versions. Exchange 2007 automatically installs a self-signed certificate. Amongst other benefits, this certificate immediately secures OWA access enabling users to login to their mailbox using HTTPS.

One may replace this with the one issued by a Certification Authority. In any case earlier Exchange users will certainly appreciate that starting from the security of a self-signed certificate is much better than starting from the no security of port 80 HTTP.

One Year Later...

Those choosing to continue working with the self-signed certificate will have the opportunity to appreciate how time flies!! In fact Exchange will remind you of its first anniversary with events of the type:

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12018
Date: 13/04/2008
Time: 09:01:00
User: N/A
Computer: EXSERVER
Description:
The STARTTLS certificate will expire soon: subject: exserver.domain.local, hours remaining: 157700393E5D76615E855A773CFA08AB5842DFB0. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12017
Date: 13/04/2008
Time: 09:01:00
User: N/A
Computer: EXSERVER
Description:
An internal transport certificate will expire soon. Thumbprint:157700393E5D76615E855A773CFA08AB5842DFB0, hours remaining: 295

The events are informative enough to point you to the right direction for resolving the issue i.e. calling the New-ExchangeCertificate cmdlet. Exchange is also kind enough to alert you days in advance. In the above event example we have 295 hours left, approximately 12 days.

You do check the event logs right? If not, or you simply ignore these events someone else will remind you! Most commonly Outlook 2007 users will be amongst the first to start knocking at your door. If the certificate expires, opening Outlook will cause an annoying dialog saying:

exserver.domain.local
Information you exchange with this site cannot be viewed or changed by others.
However, there is problem with the site's security certificate…

Generating a New Certificate

Solving the problem is simple. To begin let see the currently installed certificate by running:
Get-ExchangeCertificate | List

Exchange Certificate Properties

Note that here I am taking screen shots from a test machine whose certificate is not about to expire! Some properties worth noticing include:

NotAfter - shows the certificate expiry date

Services - shows that the certificate applies to IMAP, POP, IIS and SMTP

Thumbprint - will use this to identify and make changes to this certificate

Creating a new certificate is just a matter of running the cmdlet:
New-ExchangeCertificate

This will warn you about overwriting the SMTP certificate.

New Exchange Certificate

To be honest the first time I ran into this, I thought that was it. After all there were no more event log warnings. However this is not the case. Rerunning Get-ExchangeCertificate we see that the IIS service is still using the old certificate. This means Outlook users will still be knocking at our door.

Missing IIS Service

We need to move the IIS service using Enable-ExchangeCertificate. To do this we need the thumbnail value of the newly created certificate. In my case I used this command:
Enable-ExchangeCertificate -Thumbprint F7A8F1B443A0E7266C72CDE0603302C07B856076 -Service IIS

With the new certificate in place we may now remove the old certificate using Remove-ExchangeCertificate with the thumbprint value of the old certificate:
Remove-ExchangeCertificate -Thumbprint 157700393E5D76615E855A773CFA08AB5842DFB0

References

Outlook 2007 and Exchange 2007 Certificate issue

User Comments - Page 1 of 1

Ashu 29 Aug 2013 13:31
Please helpw the command , how can i add new domain for selfsigned certificate, I am adding new outlook anywhere domain Ex: outlook.domain.com , Help the command to add this to selfsigned certificates
Ashu 29 Aug 2013 13:21
Great Articals...
onzz 8 Mar 2013 10:28
I wish all instructions were shown and explained as well as this. Excellent.
PJN 26 Nov 2012 13:46
Mahalo!
Dimitris Vlachopoulos 28 Sep 2012 16:08
You saved my day... excellent info
Bill 20 Sep 2012 00:43
Spot on! Everything you need concisely explained.
Great!
Jarrad 8 Jul 2012 22:31
Thanks, solved my issues :)
Justin Klima 11 Feb 2012 11:05
When typing Get-ExchangeCertificate all certificates are fine and valid. The one that pops up all the time when using outlook 2010 with RPC configured is the expired one and this is not the one with a matching thunprint found ont he exchange console list when using the Get-ExchangeCertificate |FL command.

Any other way to get rid of expired certificates that keep popping up for users using the outlook 2010 client?
Mike 24 Oct 2011 08:30
Awesome, thanks so much. Nice and easy to do.
Robin 26 Sep 2011 07:26
Well written, great example of useful information !
Daniel 16 Sep 2011 08:05
Thanks alot!
klausi 12 Sep 2011 06:24
Thanks!
rascoit 10 Sep 2011 06:21
You Rock.
Jay Roberts 16 Aug 2011 03:48
Awesome, this just saved my life! Thanks :)
Ramachandran 25 Jul 2011 03:06
This is Great.. Thank you.
Kyle 21 Jun 2011 06:37
Great write up, much appreciated...
Saju 15 May 2011 21:58
Thanks very much. The solution was straight forward and it worked fine. Excellent.
lolo 13 May 2011 04:39
thanks
Marko F 28 Apr 2011 03:48
Thanks a lot !! Helped me solve this issue !!
Guillaume Potez 5 Apr 2011 05:05
Thanks a lot !
Jerod 1 Apr 2011 09:36
Thanks for writing this up. Helped me solve this much faster then if I combed through the Microsoft docs
Hani Husseini 14 Mar 2011 03:10
You are the best... saved me the day... I voted as excellent post.. regards
Dan Gelfand 9 Mar 2011 09:26
I followed the instructions- they are clear and concise.
After renewing the cert I no longer get a security warning and OWA still works. The only problem is that the certificate error next to the address bar in IE states that the certificate expired on January 27, 2011, even though I have renewed it.
Any idea why this is?
dan@slpowers.com
wire 18 Feb 2011 01:02
Glad this article came up high on the google search. Clearly explained, accurate. Thans also for catching the IIS gotcha! Saved me lot of time and my users annoying messages (which they will now never know about, at least until i forget this next year ;})
Cert Date....reference below 21 Dec 2010 08:59
[PS] C:\Windows\System32>New-ExchangeCertificate

Confirm
Overwrite existing default SMTP certificate,
'518CCEE3A8F4E6B4297FF0567FC3822CECD0CCCA' (expires 12/21/2011 11:34:02 AM),
with certificate '32332D0344E16AD40679F4786696AD90CF4251D2' (expires 12/21/2011
11:48:06 AM)?
Certificate Date 21 Dec 2010 08:52
When I run the command instead of generating a new cert for 1 year later it is using the current date/time stamp of the server to make the cert. So if I run it today at 11:52 it will says replace old cert with new cert date 12/21/2001 11:52am. Any idea what could cause this?
Mags 20 Dec 2010 15:18
"hi,managed to create the certificate but in IIS manager I can see "This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store". how can I do that please ?" Also having this issue. any ideas.
Greg 11 Dec 2010 15:12
Thanks so much! Fixed my problem. Easy and straight forward explanation.
Anthony Ndong 5 Nov 2010 03:59
After two days of your simple explanation was the key to unlocking the puzzle box thanks a lot
Martin 3 Nov 2010 07:38
hi,managed to create the certificate but in IIS manager I can see "This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store". how can I do that please ?
Gregg Kessloff 24 Oct 2010 15:20
EXCELLENT! Worked perfectly. VERY much appreciated.

GK
FTECH 12 Oct 2010 13:39
Ha! I like you thought that was it after New-ExchangeCertificate! Good to know!! Thanks!
IT WAI 29 Sep 2010 09:00
GOOD!!!SOLVED MY PROBLEM!!
Tharapon 24 Sep 2010 21:45
Thank you so much! It's easy. You've saved my life!
MarkG 13 Sep 2010 05:36
Many thanks for this straightforward explanation. Solved my problem in a few minutes.
Bhargav 12 Sep 2010 14:31
Thanks, this worked for me
wand 1 Sep 2010 03:32
Thanks for the reasonably simple instructions. I've been searching for this answer for months. I found part of it a while back, but not the part about enabling the IIS, which was the difference. I now have multiple copies of certificates in Exchange and I'm wondering if I can delete all but the final one I just created and that works. I've deleted the expired one, but I have multiple copies from before. Should there only be one certificate in the simplest case or more than one? They are not all exactly the same.
Randy 24 Aug 2010 10:10
Man that was by far the best and simplest explanation of how to renew this than anything I have read. You go man. Thanks for that.
Great tip 23 Aug 2010 13:26
Most of the tips I found on this made no sense at all..but this one did the trick. Got the cert installed in just a few minutes. Thanks for laying it out so it can be understood!
Sky 14 Aug 2010 16:06
Great job. This is by far the best explaination on how to renew it. Thanks!
Very Grateful 11 Aug 2010 19:53
This was a great explanation and solution. Thanks!!!
John Guthrie 10 Aug 2010 02:59
Fantastic guide.
Thansk a lot. I save a lot of hours.

Thanx again
Thanks 23 Jul 2010 00:12
Great stuff! You just saved a couple of users lives and my a$$.
kontech.net 14 Jul 2010 07:02
Thanks for the write-up. It's definitely worth renewing the certificate for the life of the server, so that you don’t have to do it over.
Sean O 7 Jul 2010 12:16
Worked for me as well. Thanks for the straightforward, complete instructions.
Sirius Lee 24 May 2010 17:26
Yes, this article is great. I'd been putting of the 'certificate issue' thinking it would be hideously complicated but I was delighted to find your instructions and in 5 minutes it was done.
ZUMA 20 May 2010 10:22
tHANKS, THIS WAS A BIG HELP AND STRAIGHT FORWARD, EASY TO UNDERSTAND.
Alex 4 May 2010 20:54
I find this all really bizarre. I'm trying to renew an Edge Certificate and I think im ok with it but has anyone questioned this method of renewing a certificate?? Im not attacking the author of the method. This is indeed the Microsoft recommended way but why??!! It seems just stupid that this Powershell method is so destructive. you aren't "renewing" the certificate at all you are creating a new self-signed certificate and overwriting the old one. there is no easy way to backout in most cases (bar restore of the server) if things go wrong. Ive got no qualms about using the CLI but Why don't Microsoft recommend using there own Certificate manager MMC module??? It has a renew option. Why is there no options for an auto-renew on self-signed internal certs?? all seem to be questions nobody has answered as I can see.
John 3 May 2010 18:34
Question - I inherited a server, Windows 2008 SP2 with Exchange 2007 SP1 I believe. It has both a self signed cert as well as a third party SSL cert. This server's self signed cert will expire in a couple weeks, but the third party cert doesn't expire for another year. The self signed is for the internal name, the third party is specifically for their FQDN. But if I try to run the cmdlet for the new cert, it first offers to overwrite the third party one. I replied "no" hoping it would then ask about the default self signed cert, but it doesn't. Any way to get it to replace that one? Thanks for the helpful writeup!
Boonmi Thailand 18 Apr 2010 19:56
Thank You very much sir
IT work

Best regards,
kk1mutt@hotmail.com
GDefina 12 Apr 2010 08:36
For mike:

the command is for the Exchange Management Shell, not for windows prompt...
jag 1 Apr 2010 06:02
This is cool but my IIS is using a third party cert. My self signed on only reads SMTP, POP, IMAP. So if I renew my self signed one, will it leave my IIS one alone? So I should not have any problems... Correct?
Mike 30 Mar 2010 03:11
I'm getting this error when I run the getexchangecertificate | List cmd

The term 'Get-ExchangeCertificate' is not recognized as a cmdlet, function, operable program, or script file. Verify th
e term and try again.
At line:1 char:24
+ Get-ExchangeCertificate <<<< | List

Any Ideas???
Garrett Dumas 24 Mar 2010 22:20
This resolved my issue. I was going crazy trying to figure it out. Thanks!!
steve11554 24 Mar 2010 07:13
I have a separate certificate for the IIS service - can I enable the new certificate for just the smtp service in the same command? Conversely - since you mention that it doesn't automatically write to the IIS service if I don't enable the new thumbprint is the certificate used for IIS (active sync use)still authoritative.
Hukam S yadav 23 Feb 2010 02:14
Wonderfull, It works. Thanks
hubbardt 21 Jan 2010 12:53
We're getting this message about a certificate expiring on our Edge Transport server. If I renew the SMTP certificate on the Edge Transport do I need then somehow copy it to the Hub Transport server ?

Last time I tried renewing on the Edge Transport the edgesync process stopped and mail was getting bounced back

Running the Get-Exchangecertificate command on the Edgetransport server shows me currently 2 valid certificates for SMTP, one due to expire in 4 days.

Do I need to do anything else ?
Mougahed Ali 15 Jan 2010 12:12
Really very simple and clear. Thanks for your help.
AnilKool 7 Jan 2010 08:23
The coolest tip ever seen.. searched for this solution since 4 hours and here i got it which took 5 mins and worked like a charm on my win2008 with exch 2007 sp1. recommend all to use it..was almost deciding to buy a cert !!! Thx
Stephan ( Germany ) 17 Dec 2009 04:10
Thanks for the help. Thats a very good article.
regards
Stephan
Charles - Philadelphia 9 Dec 2009 06:36
Awesome !! Just the answers I needed. Thank you
Alexander Zammit 22 Oct 2009 10:04
The long term solution is to get a proper certifcate as discussed here:
http://www.exchangeinbox.com/article.aspx?i=126
http://www.exchangeinbox.com/article.aspx?i=127
Christophe Z 22 Oct 2009 06:50
Nice and quick solution. However, this issue will popup every year. Is there a way to set the expiration date of the certificate to a later date, say 2 to 5 years instead of 1 year?
Rich Miller 20 Oct 2009 12:21
Great article. Very helpful, straight to the point and it worked perfectly. Thank you.
Ok.... I have all this working but... 18 Sep 2009 10:35
Thanks for this post it does help! My last problem is that now when I go to the website mail.mydomain.com I get a certificate error. I have tried I am using windows 2008 server and created the certificate. I can click ok to continue to the site, but would prefer my users did not get the error? Suggestions on how to fix this? Please send to brent@xanatek.com
Problem... 18 Sep 2009 07:55
I don't have the Get-ExchangeCertificate command on my server.. Searched and get the error it is not reconized. Any ideas???
Dani 17 Sep 2009 21:56
Thanks, Good clean and short !
µ 11 Sep 2009 08:50
To the person who's OWA no longer works. Running the following command: "Enable-ExchangeCertificate -Thumbprint F7A8F1B443A0E7266C72CDE0603302C07B856076 -Service IIS" also sets the Exchange Website to require 128bit SSL encryption so if you were previously accessing your webmail over port 80 (owa.domainname.com), it will no longer work. I recommend SSL, but in my opinion, you need a separate website running on the same IP for port 80 that redirects to the OWA folder of your SSL site so your users don't have to enter https and the /owa/ each time. I wouldn't modify the default exchange website since some of the virtual directories require SSL and some don't. Renewing your certificate as referenced in a previous comment is a better idea than creating a new one since renewing it does not change any custom SSL settings you may have set on the exchange website. µ @ http://mikefrobbins.com
Md Ehteshamuddin Khan 4 Sep 2009 04:27
Thank you so much.

this process is very helpful.
MJ 4 Sep 2009 01:34
Thanx so much, it worked perfecly.
Cédric Daviaud 5 Aug 2009 07:34
Perfect tutorial !

Easy to understand and easy to complete.

Great work, Thank you
Mitilage 4 Aug 2009 01:43
I run into Certificate issues in Exchange 2007, googled, found your post, followed the instructions and it works fine. Well done.
Wes 23 Jul 2009 15:04
Perfect. Walked through your instructions one by one and it worked perfectly. Thanks! My users were starting to get really annoyed.... and I of them also! ha
KM Shum 18 Jul 2009 23:27
Great!! Easy to Follow. Thank you so much!
Kevin A 15 Jul 2009 00:04
Thanks Its works!!

Also my STARTTLS in problem, How can I creat a new certificate? Please explan like last one

Thanks!
Tones 9 Jul 2009 12:35
This worked.
Alex H 2 Jul 2009 23:52
Thanks so much!! My cert already expired and I was afraid it will be complicated but with your explanations is easier than installing GTA3 :))
Dennis Achten 25 Jun 2009 06:24
I was afraid I had buy certificates and lots of other difficult stuff, but this direct to the point and clear explanation made my day. THANKS!!!!!!
Robert 11 Jun 2009 10:22
WHAT A LIFE SAVER! Straight forward in plan English - Thanks you SO MUCH Alexander!!
RODNEY B. 26 May 2009 10:25
THE BEST ARTICLE ON THIS EASY FIX SO FAR... THANKS DUDE.
Wessel 26 May 2009 00:57
Thank you soooo much :) great text
jbason 6 May 2009 03:01
Excellent article, a great help.
Stuck and need help 5 May 2009 21:56
Ok I enabled the Cert and now my OWA is not working how do I disable it?
New Exchange 2007 Administrator. . . 1 May 2009 14:47
. . .thanks you for taking the time to prepare and publish this information. Extremely helpful!!!!
Thom 27 Apr 2009 07:54
We are using the /owa rather than set the URL to go directly to the OWA... using the selfssl.exe to set the CN is still generating the Certificate Error and turning the Address line pink. Is there a way around this? If I use the /N:CN=exchange.domain.com/owa then my in-house MS Outlook users get certificate errors. Thought I would ask... thank you for the article, it was VERY helpful.
DJ Italian 22 Feb 2009 15:02
Thanks heaps! was unable to find this information easily on MS KB's. What happens when you have more than on exchange 2007 server? like a Front End and Back End?
Romeo 22 Jan 2009 02:29
Thank you for your reply. i will definitely read what you sent. for now my set up is 1 Exchange server 2003 and 2 hp servers with Exchange 2007 each. one of them is having Mailbox role and the other is having CAS and Hub Transport role. Also i'd like to know on which servers to run these commands that you mentioned, or are some of them to be run on Mailbox role server and some other on CAS/Hub role server?? Thanks in advance.
Alexander Zammit 22 Jan 2009 00:51
The services to assign to the Certificate depends on the roles you are running.

In my case I am looking at the most common scenario where certificates are used to secure connections with Client Access and Transport Roles.

A very good description of Certificate usage is available here:
http://technet.microsoft.com/en-us/library/bb851505.aspx

Use this search string to jump directly to the part that discusses this point:
"The following Exchange 2007 components use certificates to encrypt or authenticate sessions"

Unified Messaging is the only role not installed on my test server here.
Romeo 21 Jan 2009 21:50
Hello Alexander Zammit, thanks for this article i just need to know if SMTP,POP,IIS and IMAP are all the services i need to enable the new certificate for. If there are more plz let me know. My email is rami.mansouri@ffcqatar.com. Thanks alot.
E-Dub 12 Jan 2009 12:07
Thanks for the instructions. Life saver!!
This how microsoft recommends to renew 4 Nov 2008 09:05
Certificate Expiration

The self-signed certificate expires one year after installation of the Client Access server role. You can use the Exchange Management Shell to renew the self-signed certificate by cloning the certificate. You can clone the certificate by first using the Get-ExchangeCertificate cmdlet to obtain the thumbprint of the current default certificate for your domain.
Copy Code

Get-ExchangeCertificate -DomainName CAS01.contoso.com

Then to clone the certificate, run the following cmdlet.
Copy Code

Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate

The new cloned certificate will then be stamped with a new expiration date one year after the date you run the cmdlet.
JaKo 20 Aug 2008 22:49
Use SELFSSL from IIS 6 Tools and generate a certificate that includes public and private server names. Set the cerificte expiry till...end of the server's life :)

SELFSSL.EXE /N:CN=server1.mydomain.local,CN=mail.mydomain.com
The last CN you enter will show first in your sertificate's SUBJECT:

CN = mail.mydomain.com
CN = www.mydomain.com
CN = server1.mydomain.local
CN = server1
Ban2 29 Jul 2008 01:45
This solved my SSL issue perfectly.
Very Thanks.
Certificate Expired Issue... 19 Jun 2008 08:32
I followed your steps and that resolved my problem internally, however now my OWA using IIS is not working...do you know how I can export this certificate into IIS?
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation