Ultan Kinahan

Had a situation here today where for some reason one of our Exch 07 boxes in a site stopped using the correct certificate. By default Exchange Server 2007 issues itself a self-signed cert for use with services like SMTP, IMAP, POP, IIS and UM (Depends on your roles). This cert is valid for a period of one year.

From the event log I was getting Event ID 12014 http://support.microsoft.com/kb/555855

I know it’s not recommended to use these temp certificates for client communications as a permanent fixture… just need to get to ordering a new one ASAP!

Anyway… the fix;

1.          From the exchange server open PS and enter;

2.          Get-ExchangeCertificate | fl * (this gives all the details including expire date, services etc)

3.          Next enter

4.          Get-ExchangeCertificate -thumbprint “Enter your existing thumbprint here” | New-ExchangeCertificate (this creates the new certificate for you)

5.          It asks if you want to overwrite the existing one if it is using it for SMTP services.

6.          Press enter or type in A and then enter (this replaces the old with the new certificate)

7.          Get-ExchangeCertificate -thumbprint B799D76F951F367DD0EF261D2EF816AD6C4CC921 | fl * (this allows you to examine the new cert and look at what services its setup to use. Depending on the roles “in my case I am not using UM” you have in your environment it will show something like IMAP, POP & SMTP. You will notice that IIS is not listed, this needs to use this cert also so you need to do that)

8.          Enable-ExchangeCertificate -thumbprint CA29A756B92C2D69BE450105B6473EAF8114FCB3 -services IIS

9.          Now check to see if your inbound mail starts to work. If successful proceed to the next step.

10.       Lastly; remove the old certificate by entering

11.       Remove-ExchangeCertificate –thumbprint 2B47D0D0E19B7F65B2B8F6CA611194EE287639F7