Lethe's Ccielogs

Hello all, I know it’s really weird to see a post about something different from Linux or Cisco but from time to time I happen to work with Microsoft stuff as well (I would gladly avoid this but still sometimes I have to…) specially when someone forgets to renew digital certificates on the company Exchange server before going on holiday (it seems like a joke but I assure you it’s not… at least not a funny one!). I’m writing this with the intent to help who of you out there is experiencing a similar problem both because of an expired/not valid certificate or a self signed one.

Exchange 2007 uses digital certificates for a variety of reasons like SSL encryption on webmail page, TLS on hub server to hub server communications and so on, when installed Exchange 2007 used some self signed certificates which should be replaced with something more “professional” and that’s what my colleagues did using our internal Certification Authority. Yesterday the HD staff begun receiving a lot of calls about an error similar to the one in the following picture :

What they did was simply renew the certificates via the web interface of the CA with a Common Name corresponding to the internet name of the server, something like mail.mydomain.com, which is fine for external clients but which created some havoc on the Exchange itself and on the internal clients with errors similar to the following :

As you can see Exchange was whining because the it could not find a certificate matching its internal FQDN name, of course we had a similar warning on the clients attesting that the certificate was valid but it did not match the hostname of the server itself.

The good news is this can be easily solved, the bad one is you’ll have to use crappy Powershell (I’m a CLI lover… at least of the functional ones like BASH… and even if MS tried to mimic it they weren’t that successful at least in my opinion…) the the job done. All you have to do is to create a certificate request for a certificate matching all FQDNs, both internal and external ones, that your Exchange server will be using. I won’t go much into the detail on how to process the request on the CA as this could change depending on the CA you’re using, we have a Linux (yeah!) one for example but I’ll just describe the commands you’re going to use to accomplish this.Once you have opened up Powershell just input the following commands (command-let as they call them) :

 New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=ccielogs,o=CCIELOGS, cn=mail.ccielogs.com" -domainname mail.ccielogs.com, CAS01,CAS01.mail.ccielogs.com,
autodiscover.ccielogs.com -PrivateKeyExportable $true -path c:certrequest.txt

Basically this command will tell powershell to generate a request file named certrequest.txt under the c: path for a certificate that will match all the hostnames listed after the –domainname directive.

Once the certificate has been requested and downloaded somewhere on the Exchange computer we need to import it into the Exchange and enable it for the intended purposes with the following command :

 Import-ExchangeCertificate -path
 -friendlyname "CCIELOGS" | enable-exchangecertificate -services "SMTP,IIS,POP,IMAP"

Once done this all that is left to do is to restart the Hub Transport Service so that Exchange can reload the correct certificates :

Now everything should be ok and you should not receive any error or complain from your users or the Exchange server

Article by Lethe

Lethe has written 169 awesome article(s) for us.

Daniele Catanesi, aka Lethe, is the mind behing Lethe's Ccielogs. He is a veteran of the IT industry with more than ten years of experience in the various fields. Daniele has been mainly working as IT Architect and Trainer for a lot of Enteprise customers implementing cutting edge technologies and complex solutions. Daniele currently holds various certification among which MCITP, CCNP, LPI, Citrix and working tirelessly to his RHCE and RHCA. When he is not busy working or studying for the next exam he writes on the blog trying to give administrators and students around the world tips and suggestion to help them succeed in their career and job.