_Alfred

How to Renew an Exchange 2007 Self-Signed Certificate

By Alfred - Published: 2012-06-12

The problem: Exchange 2007 issues a self-signed certificate that can be used for internal scenarios but needs yearly renewal. Even though the renewal process is simple, some users Outlooks may found a security alert when connecting to a mailbox in that email server. The security alert error says: "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority."

The solution: The Exchange Administrator will need to renew the Exchange's self-signed certificate, export it and then deploy to internal clients (via Group Policy, for example, as in this note).

I. Renew the Exchange's Self-Signed Certificate

Use the following guidelines: 

1. See your logs and double-check the error/warning and the FQDN mentioned (e.g.: mailsrvr.domain.com)

2. Check certificate: Get-ExchangeCertificate -domain “mailsrvr.domain.com” | fl

3. Take note of the thumbprint and services the expiring certificate is enabled for.

4. Issue the new self-signed certificate: Get-ExchangeCertificate -thumbprint “OLD_SELF_SIGNED_CERTIFICATE_THUMBPRINT_HERE” | New-ExchangeCertificate

5. If the existing certificate is being used as the default SMTP certificate, you will get a prompt asking for overwrite confirmation. Type 'y' and hit enter. Note the new certificate's thumbprint.

6. The new certificate is generated and enabled. Check it with: Get-ExchangeCertificate -thumbprint “NEW_SELF_SIGNED_CERTIFICATE_THUMBPRINT_HERE” | fl

7. The old certificate is enabled for IIS/POP/IMAP/SMTP. The new certificate is missing IIS. Use this cmdlet to add IIS (if needed): Enable-ExchangeCertificate -thumbprint “NEW_SELF_SIGNED_CERTIFICATE_THUMBPRINT_HERE” -services IIS

8. Test Exchange services. You can remove the old self-signed certificate with: Remove-ExchangeCertificate -thumbprint “OLD_SELF_SIGNED_CERTIFICATE_THUMBPRINT_HERE”

 II. Exporting the New Certificate

Some admins just import the certificate once into their user account's "Trusted Root Certification Authorities" store and then use mmc, add the Certificate Snap-in, connect to their own "User Account", go to that previously mentioned store and then export that certificate to a specific path. Other admins use the Export-ExchangeCertificate powershell cmdlet to accomplish the same task.

III. Use Group Policy for Clients to Trust the new Certificate

You can use this procedure to deploy a certificate to multiple computers by using Active Directory Domain Services and a Group Policy object (GPO). A GPO can contain multiple configuration options, and is applied to all computers that are within the scope of the GPO.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To deploy a certificate by using Group Policy

1. Open Group Policy Management Console.

2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

3. Right-click the GPO, and then select Edit. Group Policy Management Editor opens, and displays the current contents of the policy object.

4. In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.

5. Click the Action menu, and then click Import.

6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

7. If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.

Useful Tips: 

a) Do not forget to link the new/edited Group Policy with the new certificate settings to the appropriate Active Directory OU or the domain itself.

b) Run the "gpupdate /force" command in a command prompt. Then you can go to the Internet Explorer's Options/Content/Certificate, locate the appropriate Certificate Store and double-check if the certificate was successfully deployed to that client.