daknetworks.com

You are here: Blog Expired Certificate on Exchange 2013

Expired Certificate on Exchange 2013

Friday, 29 January 2016 11:32

So your CERTIFICATE expired on your EXCHANGE 2013. No one can access email and you are being innundated with phone calls, pop-ins and text messages to notify you that "email isn't working" or "OUTLOOK isn't working."

We've all been there. If not, you will be there some day. Sometimes this even happens on very large email systems. There was a similar story recently where google.com didn't register their domain name (http://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9).
[I like to put these story links in here to let you know that you are not alone. It happens to just about everyone.]

This happens because CERTIFICATES are installed for multiple years terms; 2 years, 3 years, 5 years, 10 years, etc. And the expiration notices are going to a non-personal email account that no one regularly checks (like This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or to an email account that doesn't exist anymore.

Then the certificate expires and you wake up to voicemails and texts if you are in a worldwide company.

It's best to have a plan written out so you can follow it to fix quickly rather than use that time as a learning experience. Let me say it again with emphasis... FIX IT AS FAST AS POSSIBLE!

Here's how:

ACCESS THE CERTIFICATES ON THE SERVER

  • -click SERVER-MANAGER.
  • -click TOOLS > IIS MANAGER.
  • -click YOUR-SERVER-NAME (on the left-hand side).
  • -double-click SERVER-CERTIFICATES (in the middle).

This will list out all the PERSONAL CERTIFICATES installed on the server. You will see the expired certificate in the list.

RECORD THE SUBJECT ALTERNATIVE NAMES

Before you go any further, view the expired-certificate to write down the SUBJECT ALTERNATIVE NAMEs

  • -click on the EXPIRED-CERTIFICATE.
  • -click VIEW (on the right-hand side).
  • -click DETAILS (at the top).
  • -scroll down to SUBJECT ALTERNATIVE NAME.
  • -write down all the names (in the lower box at the bottom).

The reason this is important is because if you are access an email server called "mail.domain.tld" via a web site and you don't have that SUBJECT ALTERNATIVE NAME in the CERTIFICATE, then it will complain. And since EXCHANGE needs to have the local FULL QUALIFIED DOMAIN NAME (FQDN) (ie server.domain.tld), the EXTERNAL DOMAIN NAME (mail.domain.tld) and the AUTODISCOVERY NAME (autodiscover.domain.tld), it's important not to miss one of the names. If you do, you have to re-issue the CERTIFICATE and it can lead to longer down time.

CREATE A CERTIFICATE REQUEST (or CSR)

  • -click CREATE CERTIFICATE REQUEST (on the right-hand side).
  • COMMON NAME: domain.tld
  • ORGANIZATION: Company Name
  • ORGANIZATION UNIT: Domain Control Validated
  • CITY: Jupiter
  • STATE: FL
  • COUNTRY: us
  • For Cryptographic service provider, select "Microsoft RSA SChannel Cryptographic Provider".
    For Bit length, select 2048 or higher, and then click Next.
  • -save the CSR on the server and call it mail.domain.tld.csr
  • -this is a typical text file. Open it up with NOTEPAD.
  • -copy the entire contents (yes, even the "-----BEGIN NEW CERTIFICATE REQUEST-----")
  • -paste it into the web ONLINE APPLICATION (in your account at GODADDY, ENOM, NETWORK-SOLUTIONS, etc).
  • -wait a few minutes (about 2 minutes).
  • -download it. It will be named mail.domain.tld.cer and it might have an INTERMEDIATE CERTIFICATE.

INSTALL THE INTERMEDIATE CERTIFICATE

The INTERMEDIATE CERTIFICATE must be installed.

There are ROOT CERTIFICATES installed on every device. These come from companies named like EQUIFAX, GEOTRUST, VERISIGN, THAWTE, GTE, MICROSOFT, etc. These are installed during the time of OS installation or through an update. In this case, Windows Update. But it can also happen durning iOS update.

Sometimes these ROOT COMPANIES can be viewed as manufacturers who do not do business with end-users directly. You have to use a dealer of their product.

Consequently, these dealers need to be installed. These come from companies named like RAPIDSSL, GODADDY, etc.

Let's install the INTERMEDIATE CERTIFICATE:

  • -click START > RUN
  • -type: mmc
  • -click FILE > ADD/REMOVE-SNAP-IN (at the top).
  • -select CERTIFICATES (from the list on the left).
  • -click ADD (in the middle).
  • -bullet COMPUTER ACCOUNT.
  • -click FINISH > OK (at the bottom).

The CERTIFICATE MANAGER shows. On the left are the different STORES and in the middle are the different CERTIFICATES.

  • -click to expand the CERTIFICATES (on the left-hand side).
  • -right-click INTERMEDIATE CERTIFICATION AUTHORITIES
  • -click ALL-TASKS > IMPORT
  • -click NEXT > BROWSE
  • -find FILE-NAME (at the very bottom).
  • -select "PKCS #7 CERTIFICATES (*.spc;*.p7b)" (in the dropdown to the right).
  • -select the INTERMEDIATE CERTIFICATE that you downloaded from your DOMAIN-PROVIDER (godaddy, rapidssl, etc). It might be called something like *_iis_intermediates.p7b
  • -click NEXT
  • -select PLACE ALL CERTIFICATES IN THE FOLLOWING STORE
  • -click BROWSE
  • -select INTERMEDIATE CERTIFICATE AUTHORITIES.
  • -click OK
  • -click NEXT > FINISH
  • -exit out of the window.
  • -click NO (when it asks if you want to save).

INSTALL THE CERTIFICATE

  • -click SERVER-MANAGER.
  • -click TOOLS > IIS MANAGER.
  • -click YOUR-SERVER-NAME (on the left-hand side).
  • -double-click SERVER-CERTIFICATES (in the middle).
  • -click COMPLETE CERTIFICATE REQUEST (on the right-hand side).
  • -select the mail.domain.tld.cer or mail.domain.tld.crt (that was downloaded from the domain provider).
    (Note that you it will look for a *.cer automatically; simply change it to *.* and use the .crt file and it will still work.)
  • -type a "Friendly Name": mail.domain.tld
  • -select PERSONAL (for the CERTIFICATE STORE).
  • -click OK
  • -the CERTIFICATE should now show in your list of CERTIFICATES
  • -if needed, highlight the EXPIRED-CERTIFICATE and click REMOVE (on the right-hand side)

BIND THE CERTIFICATE TO SERVICE

Even though the CERTIFICATE is installed. It isn't being used until you BIND the CERTIFICATE to the service (SMTP, WEBSITE, etc).

BIND TO EXCHANGE BACK END

  • -click to expand the SERVER-NAME (on the left-hand side).
  • -click to expand SITES (on the left-hand side).
  • -you will see all the WEBSITES (on your server). Typically, there is DEFAULT-WEB-SITE & EXCHANGE-BACK-END
  • -click EXCHANGE-BACK-END
  • -click BINDINGS (on the right-hand side)
  • -select HTTPS-444-* (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
  • -click OK > CLOSE

BIND TO WEBMAIL

  • -click DEFAULT WEB SITE (on the left-hand side)
  • -click BINDINGS (on the right-hand side)
  • -select HTTPS-443-* (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
  • -click OK
  • -select HTTPS-443-127.0.0.1 (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE)
  • -click OK > CLOSE

RESTART IIS

  • -right-click the SERVER-NAME (on the left-hand side).
  • -click STOP
  • -wait for it to stop. It might take 2 minutes or so.
  • -right-click the SERVER-NAME (on the left-hand side).
  • -click START

That should do it!!! Visit your web site at mail.domain.tld and you should be OK with the CERTIFICATE. With this plan in place, you should be able to fix your certificate issue within a few minutes.

Contact Dak Networks

We are not taking on new clients at this time.