Fixing a bit of thumbprints

On October 28, 2011, in news, by

The STARTTLS certificate will expire soon: subject: domain.com, hours remaining: 76EB0A88D2FAE18ACD758189A6C630A1771990D0. Run the New-ExchangeCertificate cmdlet to create a new certificate.

So if you are like me and running a SBS box with a third party cert, you’ll get to a stage where the internal self signed leaf certificates will expire and the third party cert won’t be impacted.  You could ignore this, but it will annoy you to smithereens in your event logs.

I know it’s not my third party cert as I have that SSL cert for a LONG time.

Yeah, I didn’t want that sucker to expire on me as one time I accidentally did let a SSL cert lapse.

The fix my network wizard won’t get rid of this unless you are using a self signed cert.

The two certs that are not liking this are:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain.com, SERVER.internaldomain.lan}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVER-CA
NotAfter           : 11/23/2011 11:24:00 PM
NotBefore          : 11/23/2009 11:24:00 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6139F43E000000000005
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=domain.com
Thumbprint         : 76EB0A88D2FAE18ACD758189A6C630A1771990D0

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVER.internaldomain.lan}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVER-CA
NotAfter           : 11/23/2011 7:08:18 PM
NotBefore          : 11/23/2009 7:08:18 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61269AC0000000000002
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 41ECAF354F3E542F4865FBAA970CBC65B291303A

Those thumbprint thingys will be very important.

http://geekcroft.wordpress.com/2008/10/15/renewing-internal-certificates-the-easy-way/

And we’re going to fix it like that. Kinda.  I could remove these certs, but if I run this command and then say NO that I want to leave the third party cert in place, it will extend the old cert AND leave my third party cert in place.

Launch the Exchange powershell window

Get-ExchangeCertificate -Thumbprint 41ECAF354F3E542F486
5FBAA970CBC65B291303A | New-ExchangeCertificate

Now we do the list command to make sure that the new certs are there

get-exchangecertificate | fl

With the new certificate in place we may now remove the old certificate using Remove-ExchangeCertificate with the thumbprint value of the old certificate:
Remove-ExchangeCertificate -Thumbprint 76EB0A88D2FAE18ACD758189A6C630A1771990D0

(that thumbprint value is unique to the cert, so don’t copy it for your setup)

Send yourself an email to make sure all is well and there you go.

Again WITH A THIRD PARTY CERT I could have just removed those internal self signed expiring certs, but I didn’t want to do that.

 

Comments are closed.