Raoul Edmonds
asked on
Change the certificate used by Exchange 2010 in SBS2011
Hoping someone here can help me. This is probably a straight forward issue but can not work it out.
Windows SBS2011 server I have a wildcard certificate. *.domain.com. I had previously installed this certificate and all was working fine.
However when my first certificate expired and I renewed it I have encountered an issue. I have successfully got the new certificate working with OWA but not with the native Exchange/Outlook connection. I keep getting an error when using Outlook and when view the details of the certificate I can see that exchange is using the old certificate which has now expired.
I did go to the list of certificates visible at EMC ->Server Configuration. I can not find the certificate that is expired in this list. I did find the new wildcard certificate and which currently has IIS and SMTP services assisnged in this list. I tried to assign services IMAP and POP but got the following errors.
Warning
This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX and subject '*.domain.com' cannot be used for POP SSL/TLS connections because the subject is not the Fully Qualified Domain Name (FQDN). Use the command Set-POPSettings to set X509CertificateName to the FQDN of the service.
Warning
This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX and subject '*.domain.com' cannot be used for IMAP SSL/TLS connections because the subject is not the Fully Qualified Domain Name (FQDN). Use the command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
The connectors are set to use the FQDN 'remote.domain.com'
Thanks for your assistance
Windows SBS2011 server I have a wildcard certificate. *.domain.com. I had previously installed this certificate and all was working fine.
However when my first certificate expired and I renewed it I have encountered an issue. I have successfully got the new certificate working with OWA but not with the native Exchange/Outlook connection. I keep getting an error when using Outlook and when view the details of the certificate I can see that exchange is using the old certificate which has now expired.
I did go to the list of certificates visible at EMC ->Server Configuration. I can not find the certificate that is expired in this list. I did find the new wildcard certificate and which currently has IIS and SMTP services assisnged in this list. I tried to assign services IMAP and POP but got the following errors.
Warning
This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXX
Warning
This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXX
The connectors are set to use the FQDN 'remote.domain.com'
Thanks for your assistance
ASKER
Thank you for the response.
I believe I did use the SBS wizard initially. However I did redo using your instructions above.
The problem still remains. Outlook is generating the same Certificate warnings and showing the same expired certificate.
I am not sure if it is related but all of my outlook clients always require user crediential to be entered for the exchange accounts. Despite being Domain Authenticated clients. If not related this will be my next question. ;-).
I believe I did use the SBS wizard initially. However I did redo using your instructions above.
The problem still remains. Outlook is generating the same Certificate warnings and showing the same expired certificate.
I am not sure if it is related but all of my outlook clients always require user crediential to be entered for the exchange accounts. Despite being Domain Authenticated clients. If not related this will be my next question. ;-).
You shouldn't need authentication to connect to Outlook.
Have you removed the expired certificate? If not then you need to.
You didn't use the certificate elsewhere, for example on your public web site?
Run an Autodiscover test, see what that shows.
http://semb.ee/adt
Simon.
Have you removed the expired certificate? If not then you need to.
You didn't use the certificate elsewhere, for example on your public web site?
Run an Autodiscover test, see what that shows.
http://semb.ee/adt
Simon.
ASKER
I ran the new-exchangecertificate tool again.
The output was:
[PS] C:\ProgramData\Microsoft\W indows\Sta rt Menu\Programs\Microsoft Exchange Server 2010>New-ExchangeCertifica te
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'sbs2011.domain.local'
because the CA-signed certificate with thumbprint 'AE605811AF7C3EC83646XXXXX XXXXXXXXXX XXXXXX' takes precedence. The
following receive/send connectors match that FQDN: Default SBS2011.
Confirm
Overwrite the existing default SMTP certificate?
Current certificate: '5F8B74BB2426EF259312BXXXX XXXXXXXXXX XXXX' (expires 14/10/2018 11:16:25 PM)
Replace it with certificate: '7CE33E414F2375CDDCCE27XXX XXXXXXXXXX XXXX' (expires 15/10/2018 8:32:26 PM)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
In case it wasn't clear I am trying to get a 3rd party wildcard certificate to work. It is working for OWA.
I did use the https://testconnectivity.microsoft.com/ tool. The results were:
Certificate trust is being validated.
Certificate trust validation failed.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.domain.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
A certificate chain couldn't be constructed for the certificate.
Additional Details
The certificate chain has errors. Chain status = NotTimeValid.
Elapsed Time: 19 ms.
Sorry I wasn't sure which output from the Outlook test tool to post.
The output was:
[PS] C:\ProgramData\Microsoft\W
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'sbs2011.domain.local'
because the CA-signed certificate with thumbprint 'AE605811AF7C3EC83646XXXXX
following receive/send connectors match that FQDN: Default SBS2011.
Confirm
Overwrite the existing default SMTP certificate?
Current certificate: '5F8B74BB2426EF259312BXXXX
Replace it with certificate: '7CE33E414F2375CDDCCE27XXX
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
In case it wasn't clear I am trying to get a 3rd party wildcard certificate to work. It is working for OWA.
I did use the https://testconnectivity.microsoft.com/ tool. The results were:
Certificate trust is being validated.
Certificate trust validation failed.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.domain.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
A certificate chain couldn't be constructed for the certificate.
Additional Details
The certificate chain has errors. Chain status = NotTimeValid.
Elapsed Time: 19 ms.
Sorry I wasn't sure which output from the Outlook test tool to post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you chris. Sorry I did submit a reply not sure why it went through.
I learnt the hardway that SBS doesn't like wildcard certs however one I got it installed it was ok.. until the renewal.
After running the Fix My Network wizard it deteced an issue with the Cert and a couple of other things. I fixed the cert issue and then reran the 'install trusted cert' wizard.
All seemed to work OK. Outlook stopped generating certificate warnings.
However when I run the Outlook Test Email Autoconfiguration tool it generates an expired certificate warning.
Also interestingly I am no longer getting the authentication login from Outlook. I did play with chaning the authentication method to NTLM but this seems to either severly slow or stop outbound connections. I restored the Outlook settings to Negotiate Authentication and am not gettig the Authentication Errors.
Everything appears to be working. Just unsure why the Outlook tool is still getting the expired certificate.
Regards
Raoul
I learnt the hardway that SBS doesn't like wildcard certs however one I got it installed it was ok.. until the renewal.
After running the Fix My Network wizard it deteced an issue with the Cert and a couple of other things. I fixed the cert issue and then reran the 'install trusted cert' wizard.
All seemed to work OK. Outlook stopped generating certificate warnings.
However when I run the Outlook Test Email Autoconfiguration tool it generates an expired certificate warning.
Also interestingly I am no longer getting the authentication login from Outlook. I did play with chaning the authentication method to NTLM but this seems to either severly slow or stop outbound connections. I restored the Outlook settings to Negotiate Authentication and am not gettig the Authentication Errors.
Everything appears to be working. Just unsure why the Outlook tool is still getting the expired certificate.
Regards
Raoul
To get rid of the error about the SMTP/TLS, in EMS, run new-exchangecertificate (on its own). You will get a number of prompts which you should accept. You can then remove the old certificate.
Simon.