Re-Installing Self Sign Certificate in Exchange 2007

The default self-sign certificate that comes with the Exchange 2007 was deleted after installing a new certificate from Verisign. But as luck would have it, the name of our company got changed and for compliance purpose, we had to change the certificate so that the new company name is projected. It took almost two weeks for the new certificate to come. But in the meantime we had to use a certificate (a self-sign one at the least) as Exchange 2007 cannot run without a certificate we had already deleted the self sign cert that comes by default. The steps below will tell you the ways that I have taken to fix it.

After many trial and errors, the self-sign certificate is working now. I cannot guarantee that information given below will perfectly work for you. {Continue at your own risk}

  • Open Exchange Management Shell (EMS) and type the command as shown below to generate the Certificate Signing Request (CSR)
[PS] C:\Documents and Settings\Administrator>New-ExchangeCertificate -GenerateRequest -Path c:\Cert\ExIntCert1.csr -SubjectName "c=<CC>, l=<location>, s=<State> o=<Organization>, ou=<Organizational Unit>, cn=<webmail.xyz.com>" -DomainName webmail.xyz.com, autodiscover.xyz.com, -KeySize 2048 -PrivateKeyExportable $true
A thumbprint (something like) 6B8F25E721DDFC2C552934BE2FB8F2207D0E5FA8 will be generated.

New-ExchangeCertificate is fed with the GenerateRequest parameter showing that here we are not truly creating a new Certificate but just a request. The resulting request will be saved to disk at the specified path base64 encoded. The SubjectName and DomainName are the parameters identifying the Certificate Subject and Subject Alternative Name extension respectively. Running the command will generate the request at the specified path.
  • The request has to be handed to a Certification Authority like Verisign, Comodo, etc. for processing. In this scenario, I will make a server act as a Certification Authority (CA). Steps to configure the CA are as follows:
Get a server and install the "Certificate Authority" from the Add Remove Programs (Windows Components). Make sure that the server is a member server of that domain (or else, it acts funny by being very slow on accessing the site).

Submit the new request as shown in the image below. If the GUI version throws an error, then use the command line "CERTREQ.EXE" to submit the request. After this, we can use the the remaining steps through the GUI.




  • Once the request is uploaded, export the certificate as shown below:

  • Transfer the exported file to a location in the Exchange Server. In the Exchange Server, we need to import the new certificate. The step is given below.
[PS] C:\Documents and Settings\Administrator>Import-ExchangeCertificate -Path C:\Cert\ExIntCert1.p7b
Exchange will now install the new Certificate. In the Certificates list returned by Get-ExchangeCertificate, this will replace the entry that was created on running New-ExchangeCertificate to generate the request.

  • We then enable the new certificatye for the services and remove the old certificate. The steps are given below.
[PS] C:\Documents and Settings\Administrator>Enable-ExchangeCertificate -Thumbprint E6CFAE71BAC4405D1B4B4C47EB2DCE4668243D30 -Services IIS, POP, IMAP, SMTP

Confirm
Overwrite existing default SMTP certificate, '7B0BA23F33FDFCDB876CA47FC8EE3E0AFB109385' (expires 4/11/2012 1:38:23 PM), with certificate
'E6CFAE71BAC4405D1B4B4C47EB2DCE4668243D30' (expires 4/11/2012 2:29:13 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y

  • Next using the cmdlet that follows, we assign the new Certificate all the services for this Exchange server:
Enable-ExchangeCertificate -Thumbprint 7B0BA23F33FDFCDB876CA47FC8EE3E0AFB109385 -services IIS, POP, IMAP, SMTP

[PS] C:\Documents and Settings\Administrator>Remove-ExchangeCertificate -Thumbprint 7B0BA23F33FDFCDB876CA47FC8EE3E0AFB109385

Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint 7B0BA23F33FDFCDB876CA47FC8EE3E0AFB109385?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y

Remove-ExchangeCertificate -Thumbprint C52A264821E83E92173D5E44DC3DDEE0F8CBEB2F
  • After all this has been set, deploy the certificate through Group Policy


Comments

Post a Comment

Popular posts from this blog

Wireless DPSK setup with Ruckus Zone Director

Image
Configure the AAA Server (Using local database howto is out of this scope) Log in to the zone director and configure the AAA Server from Configure > AAA Servers as shown in the figure below. Name: Give a name for the AAA Server for identification {jcua for this example} Type: Active Directory Global Catalog: {leave it un-check} IP Address: IP address of the domain controller Port: 389 {ldap port} Windows Domain Name: domain name {test.com for this example}   Configure the Hotspot Service Configure a Hotspot to authenticate the users before allowing the traffic from Configure > Hotspot Services as shown in the figure below. Name: Give a name for the hotspot service {JCU-Wireless-Provisioning for this example} Login Page: https://wireless.test.com/activate {or https://zonedirectorIP/activate} Start Page: I leave to redirect to the URL that the user intends to visit Authentication Server: The AAA server that we created {i.e., jcua} Accounting Server: none {out...
Read more

Access denied for user 'bacula'@'localhost' (using password: YES)

Image
While installing a test backup server (Bacula), I got the error "Access denied for user 'bacula'@'localhost' (using password: YES)" while connecting to the MySQL database. Root access was fine. Grant permission as well as the user password was correct and thus it took me quite some time to understand that though the user password was correct, it wasn't encrypted like the root when checked from Webmin.  Thus from mysql command, instead of - mysql> UPDATE mysql.user SET Password = 'baculauserpassword' WHERE user = 'bacula'; mysql> FLUSH PRIVILEGES; I change it too  mysql> UPDATE mysql.user SET Password = PASSWORD('baculauserpassword') WHERE user = 'bacula'; mysql> FLUSH PRIVILEGES; After getting the password encrypted, I can finally connect to the MySQL server and run the Bacula.
Read more

Operation could not be completed (error 0x00000709)

Image
We just had an upgrade of the printer infrastructure. New printers are installed, Canon Uniflow software are being upgraded as well as the existing drivers are being upgraded. Things went fine except for few users having issues like: Cannot set default printer Cannot print directly from Outlook client Thanks to the link  http://www.howtogeek.com/forum/topic/can-not-set-any-printer-as-default-printer  the issues were resolved following the steps there. The fix, which worked for me yesterday, is simple: Go to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ -If the Windows key doesn't exist, create a new key; Then check for the following entry (or create it if it is not there) Name: Device Type: Reg_SZ (String Value) Value: winspool,Ne00 Should you be unable to save it, just make sure the user has Full (or special) access to the Windows key (by right-clicking on the key) After that I ran the "gpupdate /force" as the drivers were pushed using gr...
Read more