NOTE: This post is NOT for production use. I am NOT an Exchange 2013 expert. I do, however, rely on Exchange 2013 in my demonstration environment for SharePoint 2013 features like Site Mailboxes, eDiscovery and Task Management. I use self-signed certificates for this environment, which you should NOT do in production. So don’t use this post for resolving production issues. Find an Exchange expert that knows Exchange 2013 (and how it has changed from 2010) to help you for your production implementations.
My Exchange 2013 Demo Issues
I started noticing Certificate errors in my demo when I opened Outlook (both 2010 and 2013).
Viewing the certificate I see that it is truly expired:
So just to be sure I visit my Exchange 2013 Server and start seeing a host of issues, all certificate related.
I’ll deal with one at a time. First the Exchange certificate.
Renewing a Self-signed Exchange 2013 Certificate
This has changed a bit since 2010. It has gotten a lot easier. You have to determine the certificate in question that is expiring and get it’s thumbprint. Just select the cert in the UI and click the edit pencil. Copy the Thumbprint to the clipboard.
Open the PowerShell console and issue the following command (where {thumbprint} is your unique thumbprint)
Get-ExchangeCertificate –Thumbprint {thumbprint} | New-ExchangeCertificateYou will have to confirm the action and the result should be a new Cert and Thumbprint. In my case it was set to the services IMAP, POP, and SMTP, but missed IIS. So I ran:
Enable-ExchangeCertificate –Thumbprint {thumbprint} -Services IISFinally, I felt the need to remove the expired certificate.
Remove-ExchangeCertificate –Thumbprint {thumbprint}The result is sweet and far simpler than I expected.
Trust Issues
Opening Outlook I still had “Issues”. My root CA is also generated specifically for my demo and not from a trusted authority like Verisign, so I have to tell the machine to trust me.
I mentioned before that I am not a certificate expert. I am certain that there is a better resolution to this issue than what I am about to show you. But in my demo environment, this works. If you know the RIGHT way to ensure domain certificate trust, please let me know. I have Binged and Googled this to death and have not found a clean, always trust my root CA that works without expiration. Here is the fix, until the certificate expires again.
- Click Install Certificate…
- Click Next.
- Chose Place Certificate in the following store and choose Browse.
- In the Select Certificate Store dialog choose Show physical stores. Browse to Trusted Root Certification Authorities and expand and select Local Computer.
- Click OK to close the dialog.
- Click Next.
- Click Finish.
- Restart Outlook and everything should start normally.
These steps should also resolve the OWA and Exchange Admin Center browser certificate errors as well.
Summary
When you build up a comprehensive demo environment like mine you have to consider the full lifecycle of all the components. In my case I run the following servers that must be maintained, patched and upgraded:
- Domain Controller
- SQL Server
- SharePoint 2010
- SharePoint 2013
- Office Web Apps 2013
- CRM
- Lync 2013
- Exchange 2013
I am by no means an expert in all these technologies, though I do know a bit about SharePoint. A post like this is to ensure that next year when I forget how to do this I have a resource to fall back on.
Final Note: After several Snapshots I ran into an issue with the Exchange Admin Center not registering the new certificate. I just dropped into IIS Manager and manually applied the new certificate (same cert that was already on OWA) and everything started working.