Thursday, September 16, 2010

Renewing Exchange 2007 Self-Signed SSL Certificates

I already knew what needed to happen to fix this issue, but in Microsoft's infinite wisdom they saw fit to require 14 steps and intricate knowledge of their edgesync service in order to complete this yearly (and after SP2 every 5 year) service on Exchange 2007.

Symptoms: Errors in the exchange 2007 hub server indicating that the SSL certificate is expired. I saw event ID 12015 and 2019, both mumbling something about direct trusts, expiration, and so such. You may see others. Your mail flow also probably stopped.

Problem: The self signed cert that was created during the installation of exchange 2007 has expired. By default, the cert only lasts 1 year. After installing SP2, they upped the expiration length to 5 years.

Soluiton: Renew the cert on both the edge and hub server, recreate the edge subscription, restart the adam service, run the start-edgesynchronization command, then retry the queue on the edge server.


You may see the following error in the queue viewer on your edge server:
451 4.4.0 Primary target IP address responded with: "454 4.7.5 Certificate validation failure."

Open the exchange powershell on your hub server and run:

You should get a list of all the SSL certificates currently in use, and what they are doing for you. Then, run:

get-exchangecertificatae | fl

This will show you a detailed view of each certificate. Look for the one that says 'invalid' or 'expired' next to Status. Make a note of the thumbprint of that certificate, or better yet copy it in the shell.

Run the following command to renew that certificate. All it really does is make a new certificate that is enabled for the same services the old one was:
Get-ExchangeCertificate –Thumbprint “thumbprint of expired certificate” | New-ExchangeCertificate

Now, go back in and remove the expired certificate by running:
remove-exchangecertificatae -thumbprint "thumbprint of expired certificate"

Do these same steps on your edge server.

Create a new subscription file by opening the console on your edge server and typing:
New-EdgeSubscription -File "c:\subscription.xml"

Back to the Exchange Server:

Copy the subscription file from your Edge machine to your local hard drive.

Open the Exchange Management Console and create a new Edge subscription. Don't delete the existing subscription, leave the defaults, and all of your send/receive connectors will remain intact:
Organization Configuration -> Hub Transport -> New Edge Subscription... -> Browse to subscription.xml and leave "Automatically create a Send Connector" checked.

From the PowerShell on the hub server, synchronize your Edge subscription:

Receive your queued messages:

Open the queue viewer on your Edge box and retry all of the messages. If you have Outlook open, you should see your Inbox fill right up!
Send any queued messages:

Open the queue view on your Exchange box and retry all of the messages. You may receive the following error. If you do, just give it some time, I checked my queue about 20 minutes later and they had all been sent.
451.4.4.0 Primary target IP address responded with: “454.4.7.0 Temporary authentication failure.”

Excerpts taken from (