Tuesday 15 November 2011

Exchange 2007 certificate expired

Once a year Outlook starts to moan about the certificate on the Exchange server. This is because the certificate on the Exchange server was set to expire one year after creation.

To check weather this is actually your problem run the following command at an Exchange PowerShell prompt.

Get-ExchangeCertificate | list

This will show you a list of the certificates used by Exchange, the one we are interested in has IIS mentioned in it's list of services. The NotAfter field will tell you when the certificate expires. For me it shows a time about half an hour ago, so we need a new certificate. To create a new one run the following as an Exchange Server Administrator:

New-ExchangeCertificate

This command will ask if you want to overwrite the existing default SMTP certificate, answer yes to this. It should now display (along with other info) a thumbprint for the newly created certificate. Rather than have to re-type this, take a copy of it and use it to paste into the next command. We need to enable the newly created certificate for the IIS service, we do this with:

Enable-ExchangeCertificate -Thumbprint <thumbprint from previous command> -Service IIS

You can remove old certificates from the exchange certificate store with the following command:

Remove-ExchangeCertificate -Thumbprint <thumbprint of old certificate>

If you need a list of certificates details including their thumbprints re-run:

Get-ExchangeCertificate | list

After running the above I noticed that the certificate is now set to be valid for 5 years instead of 1 year. On further investigation it appears that Exchange 2007 SP2 changed the default for self signed certificates from 1 year to 5 years, woohoo!

No comments:

Post a Comment