question

StephenBruce-2848 avatar image
0 Votes"
StephenBruce-2848 asked YukiSun-MSFT commented

Is there a step-by-step on installing and enabling an "updated" certifcate for Exchange client services

I just acquired a renewed update of a "paused" certificate for Exchange 2016 for POP,IMAP,SMTP,IIS. Is there a guide for installing and binding assigning the certificate to these services ? I originally installed this server and performed replacements of expired certificate but never updated a paused certificate. After installing the certificate into the "Web Server" store (probably my first mistake) the command to assign it to these services didn't work. I was hoping it would be as simple as that.

This command didn't work. It said it couldn't find the thumbprint which I copied directly from the certificate details.

Enable-ExchangeCertificate -Thumbprint 0b7a2f0232fa0f315ff6c4f7d62018c25aebff33 -Services POP,IMAP,SMTP,IIS

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @StephenBruce-2848,

Are you able to see this certificate via EAC > Server >certificates or in the output of the command below?

 Get-ExchangeCertificate

If not, it seems that you might haven't followed the supported approprach to renew the Exchange certificate and thus it's the expected behavior that the services cannot be successfully binded to the certificate.

Generally, if it's a certificate that was issued by a CA, we would need to create a certificate renewal request, send the request to the CA and then the CA sends us the actual certificate file that we need to install on the Exchange server. The procedure is nearly identical to that of completing a new certificate request by installing the certificate on the server. For more details, hopefully you can find the document below helpful:
Renew an Exchange Server certificate


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I ended up creating a new CSR in Exchange (not IIS). Selected Status > Complete in Exchange, then assigned Services in Power Shell. It all seemed to work, and clients can now connect without error in OWA and Phones.

BUT

Status in Exchange still says "Pending Request"
and
Assigned to Services NONE.

What that about ????

0 Votes 0 ·

Hi @StephenBruce-2848,

What does it show in the output of the command below?

 Get-ExchangeCertificate | FL

You can share the result of that certificate for further troubleshooting after removing all personal information.

If it looks fine in the result of the Get-ExchangeCertificate cmdlet, that is, "Valid" status with proper services assigned, then I'd suggest trying to restart IIS and see if the status in EAC can be updated.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·
StephenBruce-2848 avatar image
0 Votes"
StephenBruce-2848 answered YukiSun-MSFT commented

RE . . you asked for the results of this command - below.
It shows the an expired certificate and the new certificate both assigned for client services.
is that the problem ?

When I ran the command to enable and assign the new certificate, it asked if it should overwrite the existing certificate . . I said Y

I didn't remove the expired certificate manually because i didn't want to break the services.

RE . . I restarted the server to see if the status of the new certificate would change, before I submitted this question.

[PS] C:\Windows\system32>Get-ExchangeCertificate | FL
Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : { REDACTED
HasPrivateKey : True
IsSelfSigned : False
Issuer : C=US, S=mn, XXXXXXXXXXXXXXXX
NotAfter : 5/1/2022 11:51:46 AM
NotBefore : 5/1/2021 11:31:46 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 43771D1FAD78D3A749FEAF8C32AF99CF
Services : None
Status : PendingRequest
Subject : C=US, XXXXXXXXXXXXXXXXXXXXXXX
Thumbprint : 23EE9686373E31E6364872C3A371F0B2F945FCBA

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {owa.contoso.com, www.owa.contoso.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=XXX
NotAfter : 5/1/2022 6:59:59 PM
NotBefore : 4/30/2021 7:00:00 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 00BED1EA8B7153E827C2A00A4B4C5C5A1E
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=owa.contoso.com

Thumbprint : 5B319E743D3D4C6BFBC22D41CBF02F3B8192254F

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {owa.contoso.com, www.owa.contoso.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=XXX
NotAfter : 4/29/2021 6:59:59 PM
NotBefore : 4/21/2020 7:00:00 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 3D14FBF4D3E899E1CE571572DEA54946
Services : IMAP, POP, SMTP
Status : DateInvalid
Subject : CN=owa.contoso.com
Thumbprint : 0B7A2F0232FA0F315FF6C4F7D62018C25AEBFF33

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {ex2016, ex2016.mail.dmz}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=ex2016
NotAfter : 5/5/2023 5:25:15 AM
NotBefore : 5/5/2018 5:25:15 AM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1B26109BE2FC909C4E8B79CF615400CC
Services : SMTP
Status : Valid
Subject : CN=ex2016
Thumbprint : D6B99B18963707B482C654A8791B358FC70F76AA

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 4/8/2023 1:02:26 PM
NotBefore : 5/4/2018 1:02:26 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 6AEFCC8017ECAD9A43874F83D9C23982
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : 42E32369DA3D146E4E0C666653F98F47606C296C

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {ex2016, ex2016.mail.dmz}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=ex2016
NotAfter : 5/4/2023 1:00:52 PM
NotBefore : 5/4/2018 1:00:52 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 6C9E5390A3A73392432EE62A45A483ED
Services : IIS, SMTP
Status : Valid
Subject : CN=ex2016
Thumbprint : 42A468A860EFF753DE8AD79D2FC575BAC7A4BED2

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-SHA2-EX2016}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-SHA2-EX2016
NotAfter : 5/1/2028 12:44:25 PM
NotBefore : 5/4/2018 12:44:25 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 71BA83AE902DBEA846F0E5CF32607AC7
Services : None
Status : Valid
Subject : CN=WMSvc-SHA2-EX2016
Thumbprint : 874957BA59F383474BD40FB85B8C203D15F18C3A


[PS] C:\Windows\system32>

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @StephenBruce-2848,

It shows the an expired certificate and the new certificate both assigned for client services. is that the problem ?

Based on my experience, normally this isn't a problem. Actually from the results of the command you shared above, it seems to me that the part below is more likely to be related to the "pending request" you see in the EAC:

93660-1.jpg

Please run the command below using its thumbprint and confirm if the friendlyname returned is the same as the certificate name of the "pending request" in EAC:

 Get-ExchangeCertificate 23EE9686373E31E6364872C3A371F0B2F945FCBA | Format-List FriendlyName,Status,Services

If that is the case and this certificate request is not needed, you can remove it directly via EAC or using the command below:

 Remove-ExchangeCertificate 23EE9686373E31E6364872C3A371F0B2F945FCBA

0 Votes 0 ·
1.jpg (51.1 KiB)

Hi @StephenBruce-2848,

I am writing to see if there is any progress on the issue. Any update would be appreciated.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·