Ho to renew exchange 2007 certificate

Similar Messages

• Renew Exchange 2007 self signed SSL cert : Warning

  Hi,
  We are getting an issue with the new SSL certificate being created. 
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
  '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
  connectors match that FQDN: Send to Internet. 
  Heres the code below:
  [PS] C:\Windows\System32>get-exchangecertificate | list
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 1:46:15 PM
  NotBefore          : 7/23/2012 1:46:15 PM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 52F90CEC000000000005
  Services           : IMAP, POP, IIS
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
                       [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 11:44:05 AM
  NotBefore          : 7/23/2012 11:44:05 AM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 5289341C000000000003
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  [PS] C:\Windows\System32>get-exchangecertificate 1B6705DB9755A75E94F5B05081AEDED
  3A0065D4A | New-ExchangeCertificate
  WARNING: This certificate will not be used for external TLS connections
  with an FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate
  with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
  precedence. The following connectors match that FQDN: Default PPLOEX2K7.
  WARNING: This certificate will not be used for external TLS connections
  with an FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate
  with thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes
  precedence. The following connectors match that FQDN: Send to Internet.
  Confirm
  Overwrite existing default SMTP certificate,
  '99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB' (expires 7/23/2014 11:44:05
  AM), with certificate 'F835E526BC8D3805E7AA230A17C5971872D3759C'
  (expires 7/22/2015 10:17:51 AM)?
  [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
  (default is "Y"):y
  Thumbprint                                Services  
  Subject
  F835E526BC8D3805E7AA230A17C5971872D3759C  .....      C=ph, S=NCR, L=Pasig, O...
  [PS] C:\Windows\System32>get-exchangecertificate | list
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                       ssControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : True
  Issuer             : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
                       om
  NotAfter           : 7/22/2015 10:17:51 AM
  NotBefore          : 7/22/2014 10:17:51 AM
  PublicKeySize      : 2048
  RootCAType         : None
  SerialNumber       : 6B5A6E27C63C36A54FDD3E07FF982497
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : C=ph, S=NCR, L=Pasig, O=Mydomain, OU=IT, CN=mail1.mydomain.c
                       om
  Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], mail1.[mydomain.ph], autodiscover.mydomain
                       .com, autodiscover.[mydomain.ph], PPLOEX2K7.[mydomain.ph], PPLOE
                       X2K7, mail1, localhost, [mydomain.com], [mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 1:46:15 PM
  NotBefore          : 7/23/2012 1:46:15 PM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 52F90CEC000000000005
  Services           : IMAP, POP, IIS
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                       .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                       ty.AccessControl.CryptoKeyAccessRule}
  CertificateDomains : {mail1.[mydomain.com], autodiscover.[mydomain.ph], autodiscover.
                       [mydomain.com], pploex2k7.[mydomain.ph], mail1.[mydomain.ph]}
  HasPrivateKey      : True
  IsSelfSigned       : False
  Issuer             : CN=mydomain-WIN-0RCZ5TKMHLV-CA, DC=mydomain, DC=ph
  NotAfter           : 7/23/2014 11:44:05 AM
  NotBefore          : 7/23/2012 11:44:05 AM
  PublicKeySize      : 2048
  RootCAType         : Enterprise
  SerialNumber       : 5289341C000000000003
  Services           : IMAP, POP, SMTP
  Status             : Valid
  Subject            : CN=mail1.[mydomain.com], OU=IT, O=Mydomain, L=Pasig, S=NCR, C=
                       ph
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  Services: [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint F835E5
  26BC8D3805E7AA230A17C5971872D3759C -Service IIS, SMTP, IMAP, POP
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'PPLOEX2K7.[mydomain.ph]' because the CA-signed certificate with
  thumbprint '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The
  following connectors match that FQDN: Default PPLOEX2K7.
  WARNING: This certificate will not be used for external TLS connections with an
  FQDN of 'mail1.[mydomain.com]' because the CA-signed certificate with thumbprint
  '1B6705DB9755A75E94F5B05081AEDED3A0065D4A' takes precedence. The following
  connectors match that FQDN: Send to Internet.
  [PS] C:\Windows\System32>

  Hi Jammizi,
  I collect some information from the command results as below:
  1. When run Get-ExchangeCertificate | FL command, it returned 2 certificates.
  •Certificate01
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  IsSelfSigned       : False
  Services           : IMAP, POP, IIS
  •Certificate02
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  IsSelfSigned       : False
  Services           : IMAP, POP, SMTP
  2. When run Get-ExchangeCertificate 1B….4A (Certificate01) | New-ExchangeCertificate, got warning.
     Overwrite Certificate02 (99…BB) to Certificate03 (F8…9C).
  3. When run Get-ExchangeCertificate | FL command, it returned 3 certificates.
  •Certificate03
  Thumbprint         : F835E526BC8D3805E7AA230A17C5971872D3759C
  IsSelfSigned       : True
  Services           : IMAP, POP, SMTP
  •Certificate01
  Thumbprint         : 1B6705DB9755A75E94F5B05081AEDED3A0065D4A
  IsSelfSigned       : False
  Services           : IMAP, POP, IIS
  •Certificate02
  Thumbprint         : 99A3CAC2E18E2FA4AB4C855A3FA07E3369AA4ABB
  IsSelfSigned       : False
  Services           : IMAP, POP, SMTP
  4. When run Enable Certificate03 command, got warning.
  According to the information above, please notice that both Certificate01 and Certificate02 are not Self-signed certificate. And the New-ExchangeCertifiate command in Exchange 2007 server is to new an Exchange Self-signed certificate. I suggest double check
  whether your org has self-signed certificates. If your org only need 3rd party certificates without self-signed certifcate, I suggest apply a new certificate from CA.
  Thanks
  Mavis
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• Exchange 2007 Certificate Expired Error when using VPN

  We recently did a server migration to a new domain (split away from part of the company - sept 2013).  I set up the exchange certs and everything worked fine, even when people used the vpn.  Recently (it probably started a few months ago) it has
  started giving cert errors again, but just for VPN users.
  This happens when someone takes their computer or has Outlook 2010 set up on their home computer.  They VPN in and when the program starts, it gives the certificate errors for exchange and for autodiscover saying "The security certificate has expired
  or is not yet valid".  I have checked to make sure that the certs are in fact up to date and are pointing to the correct certificates in IIS.  They haven't changed since I originally set them up.  
  One of the users sent me a picture of the certificate and it is the old cert (that is expired) that used to belong to the previous address when we used the other (completely different) exchange server.  The other users haven't sent me the errors they
  see, but I assume they are similar.  They are able to use exchange if they hit ok on the error box.  I couldn't find anywhere online saying that there was any kind of local caching for certs - it should always call home when connecting.  So
  why are their systems pulling up the old cert when they VPN in, but not when they are hardwired to the internal network on the same computer?
  When using the internal network without the vpn, there aren't any error messages.
  Any ideas?  I've looked around the forums, but I didn't see anything that has helped.  I'm using godaddy for my certs currently.

  Hi,
  Since the Outlook clients work well without VPN, I suggest re-build the VPN (if you don't mind) to verify whether it is a caches issue.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Exchange 2007 Webmail certificate Renewal

  Hi,
  If any one knows more details about how to renew the webmail certificate in Exchange 2007, Webmail certificate is ging to expire soon ...EventID 12018

  You can use powershell cmdlet Import-ExchangeCertificate to renew the certificate.
  To enable the certificate, execute Enable-ExchangeCertificate -Services IMAP,POP,IIS,SMTP -Thumbprint <cert-thumbprint-here>
  For more info, visit
  https://www.digicert.com/ssl-certificate-renewal-exchange-2007.htm

• Legacy Namespace for Exchange 2007 to 2013 co-existence

  We are migrating from Exchange 2007 to 2013, during the co-existence phase, where is the legacy.{domain.com} namespace used? We are at the point now that we want to move all services over to the Exchange 2013 CAS servers, however... GPO settings
  are used to point outlook clients to mail.{domain.com} for Outlook Anywhere. If DNS is updated to point mail.{domain.com} to the Exchange 2013 servers, will there be an issue with connectivity for people still on the Exchange 2007 servers? Do these people
  need to point to legacy.{Domain.com} or will mail.{domain.com} proxy the connection to the legacy namespace? I would like to know if the GPO settings will interfer with the settings that Autodiscovery provide back.
  I have read a bunch or articles on the approach, but I am still fuzzy on where legacy.{domain.com} comes into play.
  Thanks in advance for your help.

  In coexistence with exchange 2013 and legacy version the request happens in 2 types.
  For Exchange 2010 –
  Exchange 2013 does a Proxy for owa and ews requests for users in exchange 2010.
  For Exchange 2007 –
  Exchange 2013 does redirection for owa and ews requests for users in Exchange 2007.
  Certificates:
  All the required SAN entries for UM,webservices and activesync should be created.
  Add external owa legacy URL to the public certificate and install it on both Exchange 2007 and
  Exchange 2013 only then owa redirection will work.
  You need to Include internal Legacy. Domain.com on Exchange 2007 Certificate for OWA co-
  Existence.
  Following change needs to be done in Firewall
  External OWA URL should be directed to exchange 2013 Internet Facing CAS.
  External EWS URL should be directed to  exchange 2013 Internet Facing CAS.
  External Autodiscover URL should should be directed to  Exchange 2013 CAS.
  External ActivesyncVirtualDirectory should be directed to Exchange 2013 CAS.
  External UMvirtualDirectory should be directed to  Exchange 2013 CAS.
  Create new NAT rule on firewall for Legacy.domain.com to Exchange 2007 CAS. You can do this as well.By doing this users will be able to log on directly using the URL https://legacy.domain.com/owa with
  a mailbox on Exchange 2007.
  External and Internal DNS settings
  Public DNS - Map all of your external public DNS records (ews,owa,activesync etc.,) to your
  exchange 2013 public IP if you have dedicated one for 2013 or FQDN of your internet facing CAS server.
  Example:
  Current external owa URL (contoso.domain.com) – point it to dedicated exchange 2013 public ip or internet facing exchange 2013 CAS FQDN.
  Current External Autodiscover – point it to dedicated exchange 2013 public ip or internet
  facing exchange 2013 CAS FQDN
  Internal DNS – Configure the Exchange 2007 to point SCP AutoDiscoverURI to Exchange 2013 Client
  Access FQDN by changing DNS entry for Autodiscover.domain.com to exchange 2013 CAS sever Ip
  address
  The internal DNS records should point to the internal host name and IP address of your Exchange
  2013 Client Access server
  Make sure that legacy.contoso.com resolves to CAS2007 in internal and external DNS.
  Authentication Settings:
  This part is little bit tricky. You need to plan according to your organization. If you have FBA configured in TMG or ISA server then you need to configure accordingly.
  Set the owa virtual directory authentication only to  Basic in exchange 2007.
  In exchange 2013 set owa virtual directory to only (Windows Authentication) or only (form-based authentication) or only (Basic, No redirection, SSL Enabled) depends according to your setup.
  Things to check:
  If you have redirection configured in IIS on the Exchange 2007 Server Make sure that the above
  Virtual Directories doesn’t have it configured.
  If you have FBA enabled on ISA or TMG then disable FBA on Exchange 2013 CAS else users will be prompted twice for authentication
  For further references you can refer my article below
  http://exchangequery.com/2014/09/24/owaews-configuration-in-exchange-20132007-coexistence/
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish (MVP)

• Exchange 2007 Renew Certificate via IIS Manager

  I am currently in the process of renewing the Exchange 2007 certs and have searched through forums in regards to this topic and can't seem to come across a proper answer. Is it possible to renew the Exchange 2007 cert using the IIS Manager or is Powershell
  the only way of doing so? Under the "IIS Manager > expanding server name > expand websites > default website properties > Directory Security > Server Certificate" you are presented with the option to renew the existing cert. This to
  me seems a lot easier than using shell to request a whole new cert. I am not a fan of the how Powershell can be a bit destructive when requesting a new cert and overwriting the existing one leaving your little ways of backing out if something goes wrong. Can
  someone confirm if using IIS manager is a viable way of renewing the Exchange 2007 cert. I prefer to keep the exact settings of the existing certificates.
  Thank you,
  Emmanuel
  Emmanuel Fumero Exchange Administrator

  Hi
  Yes its possible in Exchange  2010 through EMC . Not sure if this works in Exchange 2007 since i haven't tried renewing through GUI in exchange 2007 and currently do not have any customers running e2k7 to check this option. Probably you can give it
  a try in Exchange 2007 and see if these options are visible. Please check the following,
  When you right-click your Exchange Server, you can select New Exchange Certificate, which will launch the New Exchange Certificate Wizard.
  After defining a friendly name, you are ready to provide all needed information:
  After clicking Finish, you will have a certificate request that you can use ti get a certificate from your own CA, or from an external CA. The Exchange Management Console will show the request as well
  1.Start the Exchange Management Shell. Click Start > Programs > Microsoft Exchange Server 2007, and then click Exchange Management Console.
  2.Click the link to "Manage Databases", and then go to "Server configuration".
  3.Select your certificate from the menu in the center of the screen (The certificate will be listed by the Friendly Name you chose when creating the CSR), and then click the link in the Actions menu to "Complete Pending Request".
  4.Browse to the certificate file you just copied to your server, then click Open > Complete.
  URGENT!! You may receive the following error: "The source data is corrupted or not properly Base64 encoded." You can ignore this error
  5.Press F5 to refresh the certificate list. Verify that it says "False" under "Self Signed".( if its 3rd party or feom CA)
  6.To enable your certificate, return to the Exchange Management Console and click the link to "Assign Services to Certificate."
  Hope this helps
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as
  Answer” if a marked post does not actually answer your question. This can be beneficial to other
  community members reading the thread.
  Regards
  Sathish

• Renew certificate on two Exchange 2007 CAS servers

  Hi, there:
  Our environment: Exchange 2007 SP3 with two HUB/CAS servers, let's assum server name for these two CAS servers are: CAS1 and CAS2.
  Please note these two CAS servers are NOT running with NLB.
  Now the certificate(not self-signed) on these two servers are about to expired and I am planing to install new certificate on them.
  The old certificate is issued by internal CA server.
  My plan is as below:
  On CAS1:
  I am going to use "New-ExchangeCertificate" with -privatekeyexportable to generate the certificate request file then submit the request file to CA, after I get the
  .pfx file run "Import-ExchangeCertificate" to import the new certificate, after the old certificate is expired, run "enable service"
  to let exchange use the new certificate.
  On CAS2:
  repeat the above procedure.
  I did a serach on technet and found this:
  http://social.technet.microsoft.com/Forums/exchange/en-US/20adfb3d-2fa6-4ff9-b785-cb47a772ed58/3rd-part-certificate-renewal-for-exchange-2007-cas?forum=exchangesvrgenerallegacy
  the procedure mentioned in this thread is different. it export the newly created certificate from CAS1 and import it into CAS2.
  however the CAS server mentioned in that thread run with NLB.
  The two CAS servers in our environment is NOT NLB.
  Any suggestions?

  Both plans will work. You can generate a cert for each individual CAS with the correct subject names on each cert relative to the CAS that you will enable it on or create one cert with the correct subject names that cover both CAS and export and import
  the cert from one CAS to the other. Up to you.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• How to export an exchange 2007 owa certificate from production to lab environment

  I'm setting up an Exchange 2007 Lab but I have a trouble regarding exchange's certificate
  Note: My lab environment is not conected to internet
  I've followed the next link but it doesn't work
  https://www.digicert.com/ssl-support/pfx-import-export-exchange-2007.htm
  Once I finished all the steps if I run the next powershell command get-excahangecertificate I see that my exchange certificate has the status as unknown
  I'm not sure if the problem is related with the server is not conected to internet, so exchange is not be able to check the status of the certificate.
  I've tried to turn off the Check for publisher’s certificate revocation option on the server
  To do this, follow these steps.
  Start Internet Explorer.
  On the Tools menu, click Internet Options.
  Click the Advanced tab, and then locate the Security section.
  Click to clear the Check for publisher’s certificate revocation check box, and then click OK.
  After the update rollup installation is complete, turn on the Check for publisher’s certificate revocation option.
  But it still not working
  Could anyone help me?
  Thanks in advance

  Hi Pardo,
  According to your description, I understand that the exchange certificate cannot work and display unknown status after import it.
  If I misunderstand your concern, please do not hesitate to let me know.
  Depending on the results of “Get-ExchangeCertificate | FL”, please pay attention to following points:
  1. RootCAType: Registry
  “An internal, private PKI root CA that has been manually installed in the certificate store.”
  2. Status: Unknown
  “This status generally indicates that the status of the certificate cannot be verified because the certificate revocation list (CRL) is unavailable or this server cannot connect to it.”
  The reason why it failed is that internal Exchange server cannot connect to CRL. As you mentioned, exchange can’t be able to check the status of the certificate.
  More information about Certificate Use in Exchange Server 2007, please refer to
  Certificate Fields and Configuring Access to the Certificate Revocation List
  section in below link:
  http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
  However, we can renew a certicate from local CA:
  http://technet.microsoft.com/en-us/library/bb310781(v=exchg.80).aspx
  Best Regards,
  Allen Wang

• Revoked Certificate on Outlook 2010/Exchange 2007/SBS 2008

  Hi All, 
  I have an issue that has been frustrating me for quite some time now. 
  Our setup is SBS 2008 with Exchange 2007. 2 Weeks ago we had to renew our certificate for remote.xxxxxxx.com. This was done through the SBS consoles > Network > Fix my Network and followed the wizard. and this worked fine. 
  I have however got one user who has a problem and he informs me that this is been an issue since before the cert was renewed. 
  He is a remote laptop user who visits the office maybe 5 times a month. When launching Outlook 2010 on his machine (Win 7 x64) it comes up with the error: Security Alert, Information you exchange with this site cannot be viewed or changed by others. However,
  there is a problem with the Site's security certificate. (Red X) The security certificate for this site has been revoked. This site should not be trusted. Then OK and View Certificate buttons. 
  I have tried to use the View Certificate to install the certificate to the correct store but no luck. Also tried exporting the cert from the server and installing manually into Trusted Root CA, via MMC Certificates Snap-In and no luck. 
  I'd like to mention that If i log into a different user, on the same domain, on the same laptop, the issue is gone. So it's local to his profile on the laptop. 
  Plus, he cannot access the OWA on his laptop either, but again a different user - same laptop can. I have verified that the OWA is still working from another machine in the business, that is using the same certificate. I cannot understand why the
  subject machine thinks the certificate has been revoked when I don't believe it has.
  Can anybody please shed some light on this situation for me - any avenues to explore would be hugely appreciated. 
  Many thanks
  Nicky

  I hope this helps
  http://www.msexchange.org/articles-tutorials/exchange-server-2007/management-administration/managing-exchange-certificates-part2.html
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Certificate errors on Exchange 2007

  We have a Exchange 2007 server that is recording certificate errors in the event log (server & domain names changed for post):
  Microsoft Exchange could not find a certificate that contains the domain name contoso.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector DNS with a FQDN parameter of contoso.com.
  Microsoft Exchange could not find a certificate that contains the domain name server.contoso.com in the personal store on the local computer.
  I have checked the configuration of the send and receive connectors:
  Get-SendConnector | FL name, fqdn, objectClass
  Name : DNS
  Fqdn : contoso.com
  ObjectClass : {top, msExchConnector, mailGateway, msExchRoutingSMTPConnector}
  Name : Host IT SMTP
  Fqdn : contoso.com
  ObjectClass : {top, msExchConnector, mailGateway, msExchRoutingSMTPConnector}
  Get-ReceiveConnector | FL name, fqdn, objectClass
  Name : Default servername
  Fqdn : servername.contoso.com
  ObjectClass : {top, msExchSmtpReceiveConnector}
  Name : Client servername
  Fqdn : servername.contoso.com
  ObjectClass : {top, msExchSmtpReceiveConnector}
  There is an installed certificate:
  {mail2.contoso.com, www.mail2.contoso.com, autodiscover.contoso.com, legacy.contoso.com} - IMAP, POP, IIS, SMTP valid until 09/01/2016
  There was a expired certificate:
  {servername, servername.contoso.com} - SMTP valid until 08/12/2010
  The fact that the mail is still working despite the expired certificate, makes me wonder if I could just change the receive connectors to use mail2.contoso.com instead of servername.contoso.com
  In the same vein, could I change the send connector to mail2.contoso.com from contoso.com

  Hi,
  Don’t modify the FQDN value on the default Receive connector Default <Server Name> that's automatically created on Mailbox servers. If you have multiple Mailbox servers in your Exchange organization and you change the FQDN value on the Default
  <Server Name> Receive connector, internal mail flow between Mailbox servers fails. For more information about it, please refer to fqdn parameter in the following article:
  http://technet.microsoft.com/en-us/library/bb125140(v=exchg.80).aspx  
  I suggest we can renew the expired certificate with names: contoso.com, servername.contoso.com instead of changing the FQDN of receive connector and send connector:
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx  
  Thanks,
  Winnie Liang
  TechNet Community Support

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• DPM 2012 - Protect Exchange 2007 in untrusted domain (either via Creds or Certificates)

  Hi,
  I am trying to protect an Exchange 2007 Server which is in an untrusted domain.
  I have tried using both credentials (isNonDomainServer) and via Certificates and have no joy.  Both methods work in terms of getting the agent installed and communicating with DPM.  The agent shows OK in the console and I can browse
  fine when creating a new PG.
  The problem I have is that "All Exchange Storage Groups" is not available as a selection to backup, obviously neither are any of the information stores.
  First question, is backup of Exchange supported in an untrusted domain?  This says it is:  http://technet.microsoft.com/en-us/library/hh757801.aspx  but I read conflicting advice elsewhere.
  Second question, this is the biggie - any ideas on how to get Exchange visible as a selection?
  So far I have:
  Confirmed that LCR is not configured (I am not sure if it *was* at some point though, because there is a disk on the server labled LCR)
  Checked in the DPM agent directory locally and I can see that ExchangeCmdletsWrapperCurr.errlog is created and/or updated when I expand the server name on the DPM server and the server and information stores are listed in the file.  This tells me communication
  is fine, and that the DPM agent on the exchange server can "see" exchange
  Checked the Exchange VSS writer and it is listed and in a healthy state
  Thanks!

  Upgraded to System Centre 2012 R2 and no difference.  I am assuming that its a compatability\support issue, i.e its not supported.  The documentation says otherwise, but its confusing to say the least.
  d

• Problem: Mixed Exchange 2007 / 2013 CAS Servers with wildcard certificates in Europe and non-wildcard Certficate in China

  Hi,
  we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 SP3 (RU15) and 2013 (CU8) in europe and one 2007 SP3 (RU15) CAS Server
  in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com, so the wildcard certificate is accepted. Everything in
  Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this
  server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As
  I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
  If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
  Any help would be appreciate….

  Yes setting the EXPR value is most likely the cause of your issue.  When you set this value you are telling Outlook to only accept connections from connections that have the cert with the subject name you specify here.
  Unfortunately, based on my experience I believe this is an organization wide setting and cannot be configured on a CAS by CAS basis (If I'm wrong someone please keep me honest :)).  
  So the only option would you have is to change all the URLs to be on *.xyz.com domain.  There's no need to change the domain the server actually resides on.  The other option would be to purchase a UCC Cert with all the names you need and apply
  to all your CAS servers and reset the EXPR value. 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

• "Name on the Security Certificate is Invalid or Does not Match..." using Outlok 2007 w/ Exchange 2007

  Good afternoon!
  We just completed our Exchange 2007 implementation (migration from Exchange 2003... a fun romp of 24 straight hours for the final push) and noticed an error that only occurs on Outlook 2007 clients connecting to the Exchange 2007 server: "Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate".
  Now, I've done my reading into this and have determined that due to how Outlook 2007 clients managed their OAB, it is essentially through a web virtual directory now, no longer through Public Folders and this is essentially the base of our issue. See, our mail server has an internal FQDN of mail.ourdomain-domain.com whereas it has an external FQDN (which is what the SSL Cert is tied to) of owa.ourdomain.com.
  So, essentially what I'm seeing is our internal Outlook 2007 clients (limited to I.S. employees only right now, thankfully) are seeing this SSL error because Outlook 2007 is trying to pick up the OAB using the internal FQDN instead of the external FQDN (which would work as well, due to some internal DNS trickery we have configured).
  My question is (finally), is there a way to circumvent this internally so we never see this SSL error prompt or a way to force Outlook 2007 to use the external FQDN? I have made sure all the settings in Exchange Management Console for OAB and the like have both the internal and external FQDN set to owa.ourdomain.com (the valid SSL name), but it does not appear to have made a difference. Granted, I have not rebooted... but I do not think that is necessary in this instance.
  Any suggestions would be appreciated. Thanks!!

  Hi All,
  1) I am using Windows SBS Server 2008 with Exchange 2007 installed on it. With all the Certicate configured internally. We haven’t purchased the Certificate from any outside authority yet.
  2) Also, user were getting Error message "The name on the security certificate is invalid or does not match the name of the site" in outlook, to resolve this issue I followed the steps mention on "http://support.microsoft.com/kb/940726" &  “http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/697f79e2-ca8f-4a2e-bae5-55d3fa7f703f/?prof=required” however I was able run only first command as I was unable to find "EWS (Default Web Site)", "oab (Default Web Site)", "unifiedmessaging (Default Web Site)".
  3) After reaserching, I run following commands to get the status, location of WebServicesVirtualDirectory, OABVirtualDirectory & UMVirtualDirectory
  [PS] C:\Windows\System32>Get-WebServicesVirtualDirectory | fl
  Name                          : EWS (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://sites/EWS/Exchange.asmx
  ExternalUrl              :
  [PS] C:\Windows\System32>Get-OABVirtualDirectory | fl
  Name                          : OAB (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://sites/OAB
  ExternalUrl              :
  [PS] C:\Windows\System32>Get-UMVirtualDirectory | fl
  Name                          : UnifiedMessaging (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://sites/UnifiedMessaging/Service.asmx
  ExternalUrl               :
  4) Then after getting the correct locations of all the directory I run the following commands to change the internal url on existing Certs
  Set-ClientAccessServer -Identity PASVR01 -AutodiscoverServiceInternalUri https://pasvr01/owa/autodiscover/autodiscover.xml
  Set-WebServicesVirtualDirectory -Identity "PASVR01\EWS (SBS Web Applications)" -InternalUrl https://pasvr01/owa/ews/exchange.asmx
  Set-OABVirtualDirectory -Identity "PASVR01\OAB (SBS Web Applications)" -InternalUrl https://pasvr01/owa/oab
  Set-UMVirtualDirectory -Identity "PASVR01\UnifiedMessaging (SBS Web Applications)" -InternalUrl https://pasvr01/owa/unifiedmessaging/service.asmx
  5) However, this does'nt resolved our issue so run the following commands to change the external url on existing Certs
  Set-WebServicesVirtualDirectory -Identity "PASVR01\EWS (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/ews/exchange.asmx
  Set-OABVirtualDirectory -Identity "PASVR01\OAB (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/oab
  Set-UMVirtualDirectory -Identity "PASVR01\UnifiedMessaging (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/unifiedmessaging/service.asmx
  6) I also tried running "New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=PASVR01" as I have deleted one of the certicate on this server in past.
  7) Following was the status of internal and external URL.
  [PS] C:\Windows\System32>Get-WebServicesVirtualDirectory | fl
  Name                          : EWS (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://pasvr01/owa/ews/exchange.asmx
  ExternalUrl              : https://exchange. exchange.domain.com /owa/ews/exchange.asmx
  [PS] C:\Windows\System32>Get-OABVirtualDirectory | fl
  Name                          : OAB (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://pasvr01/owa/oab
  ExternalUrl              : https://exchange. exchange.domain.com/owa/oab
  [PS] C:\Windows\System32>Get-UMVirtualDirectory | fl
  Name                          : UnifiedMessaging (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl                   : https://pasvr01/owa/unifiedmessaging/service.asmx
  ExternalUrl                   : https://exchange. exchange.domain.com/owa/unifiedmessaging/service.asmx
  10) Still we are facing this issue of "The name on the security certificate is invalid or does not match the name of the site" in outlook.
  PLEASE HELP ME TO RESOLVE THIS ISSUE.
  Thanks in Advance,
  Asif

• Exchange 2007 Out of Office Certificate Error

  Hello,
  I have an Exchange 2007 Server and for some odd reason this week, we have been having issues enabling Out of Office in Outlook. It is some sort of issue with the Autodiscover service, but despite reading forum post after forum post, nothing has worked for
  me. At first when we would go into Outlook and click on Out of Office, it would freeze and then say the server is unavailable. I realized that it was trying to resolve a URL so I added a manual A record in the DNS server pointing to the local IP of the server
  and it fixed the issue, kind of. Now when we click on Out of Office Assistant, we get a security certificate error and it is driving my users crazy. I have updated the SRV record and many things, still unable to get it to work. 
  Any help would be super!! 
  Thanks!

  Hi,
  1.First of all please check the name what you are using for autodiscover service is available on SAN certificate.
  2.Please check the name resolution is happening for autodiscover namespace.
  I.e if you try to resolve autodisccover.mydomain.com (or) mail.mydomain.com in your problematic PC it should have to resolved in to cas server ip address or in some scenarios it will get resolved in to LB
  3.Then please check whether you have properly set the autodiscover internal URL in all the cas servers.
  It might be like below
   https:\\autodiscover.mydomain.com\autodiscover\autodiscover.xml
  (or)  
  https:\\mail.mydomain.com\autodiscover\autodiscover.xml
  4.Then please check for the web services url in all the cas servers and that is the major thing which will make the availability services (i.e OOF,free busy lookup) to work perfectly .
  5.In the problematic please uncheck the internet proxy exceptions.
  6.You cane use test email configuration to check whether the outlook client is fetching up the proper url for autodisocver and ews .
  7.test-outlookwebservices (we can use this command to check the fuctionality of autodiscover for an problematic user account)
  8.Please check the root certificates in the problematic client to check whether it is a expired or not .Root certificates is nothing but the one which will come by default with OS .
  9.If all the above is set as perfect but still you are facing the issue.Please follow the below one and this may be not required.
  Please export the san certificate from exchnage to pfx file which should have to include the certificate key by using MMC.Then import the pfx file in to problematic client .Let us see what happens .
  Same on my side i am having few questions about your environment .
  1.Are you facing any certificate errors in OWA .Because why i am asking please check the installed SAN certificate in exchange is valid and or it is not expired ?
  2.what is the problematic client operating system veriosn?
  Please reply me if you have any issues .
  Regards
  S.Nithyanandham