Jan 8 2015

Outlook Web Access stops working after renewing 3rd party Certificate

We had an interesting issue this week. We renewed our Exchange certificate with a 3rd party vendor. Installed the certificate on Exchange and ISA Server.

OWA access from the internet stopped working after we installed the certificates. We tested OWA internally and it worked which pointed to something on the ISA server. After a long investigation we found the issue to be ISA running on Windows 2003 which is not compatible with the Secure Hash Algorithm 2 (SHA2) family of hashing algorithms that the certificates from our 3rd party cert provider issues.

Microsoft has a hotfix available to get around this. We were able to access OWA from the internet after installing this hotfix on the ISA server running Windows 2003 Server.

The Microsoft article can be found below. You will find more technical detail within this article and have the opportunity to download the hotfix. Note that you need to restart your Windows 2003 Server after installing the hotfix.

Microsoft KB938397

Dec 28 2010

Renewing TLS Certificate on a Hub Transport Server

I received an event today advising me that the local TLS certificate has expired and needs to be renewed. Here is the event info.

TLS Cert Expired Event

We need to renew this Certificate otherwise mailflow in Exchange 2007 will stop working. To do this open Exchange Management Shell and type the following:
Get-ExchangeCertificate | fl
You will be presented with all the certs installed on the server. You need to now find the cert that has expired. An example of an expired cert is:
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
CertificateDomains : {XXXX01, XXXX01.domainname.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERVER01
NotAfter           : 2010/12/28 09:33:12 AM
NotBefore          : 2009/12/28 09:33:12 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 8E1600C9A48960A64F515084A643CF4D
Services           : SMTP
Status             : Invalid
Subject            : CN=SERVER01
Thumbprint         : 459CA3A8D2CE3A300839D6254ACD4A5642F25185
The easiest way to renew the above certificate is to export the first cmdlet we ran to a text file and then copying the cert. To do that do the following:
  • Get-ExchangeCertificate | fl >c:cert.txt
  • Now open the cert.txt document that you created with the above command and copy the Thumbprint of the expired cert.
  • Then run Get-ExchangeCertificate -Thumbprint c6289cd8465c99ab249c60f8893jan7d889a4afc | New-ExchangeCertificate where the thumbprint number should be the one you copied from cert.txt. (Just delete the above thumbprint and paste your thumb print in it’s place)
  • Choose yes to overwrite the old certificate. (Before you click yes make sure the thumbprint is the same as the one in cert.txt as you do not want to overwrite a different cert)
  • Run Get-ExchangeCertificate | fl and check the dates and status to see if the new cert was created successfully.

I used the following URL to assist me with renewing the Cert. There are more info on the article regarding 3rd Party Certs etc.