Exchange 2007 Certificate and Coexistence
Today we will see the steps to install or replace the steps of Exchange 2007. We will also see the changes required in the co-existence.
I would recommend to review this blog to know how to request new cert and review the private key: http://msexchangeguru.com/2012/07/24/edge-server-tls/
Exchange 2007 Certificate Installation and replacement
Get the certificate for the following urls from your certificate provider
autodiscover.domain.com – for autodiscover
legacy.domain.com – for Exchange 2007 owa and ews
mail.domain.com – for owa, outlook anywhere, pop, imap, EWS and activesync
- Go to Start Run
Type MMC hit enter
Click File à add/remove snap-in
Select Certificates à Computer accountàLocal Computer
Click ok then ok.
- Browser to Personal à Certificates
Right Click here à Import certficate à Select .cer or .pfx (pfx file will ask password) à Click next à next and Finish
- Certificate is installed but not enabled
- Open Exchange management shell with run as administrator
Run the cmd to get the thumbprint:
Get-ExchangeCertificate | fl Thumbprint,Friendlyname
Run the cmd to enable certificate and assign it to services
Get-ExchangeCertificate -Thumbprint “thumbprint which we got in the previous cmd” | Enable-ExchangeCertificate -Services IIS
- IISreset /noforce
You might need to run iisreset few times until services say stopped and started
Are We Done?
Answer is yes if this is the only certificate you have install on this server like.
Answer is no if this is a renewal or new certificate installation means you had a working certificate.
Exchange 2007 is way different than Exchange 2010 or 2013 which cannot work with multiple certificates for the same url. So we need to remove the old certificate other you owa will stop working because of existing certificate.
15. Got back to the below location, Export the old certificate for backup them remove the old certificate.
Select Certificates à Computer àLocal Computer à Browser to Personal à Certificates
16. IISreset /noforce
17. You might need to run iisreset few times until services say stopped and started
Co-Existence with Exchange 2013:
Here are some facts about Exchange 2007 co-existence with 2013:
- Exchange 2007 works differently than Exchange 2010 so it becomes important for OWA and EWS to use different urls.
- This also means we need to obtain a new certificate if you just have 2 urls mail and autodiscover.
If we will use same url on both 2013 and 2007 for OWA and EWS then redirection will fail with most likely error “The Webpage has a redirect loop”
- If you have 3rd url exist in the certificate then you can use this as legacy url on exchange 2007.
- Legacy can be replaced with any other word or url.
- Public host record is required for all 3 urls.
- Internal AD Host record is required for all 3 urls.
So for co-existence with Exchange 2013 you need to use 3 urls mentioned below:
- Mail.domain.com = Exchange 2013 OWA/POP/ECP/EWS/IMAP/OA/Activesync
- Autodiscover.domain.com = Exchange 2013 and 2007 Autodiscover
- Legacy.domain.com = Exchange 2007 OWA/POP/ECP/EWS/IMAP/OA/Activesync
Microsoft MVP | Exchange Server