Certificates

TLS certificates and associated fun operations

0

Joys of Server 2012 R2 TLS Defaults in June 2022

Posted on by Rhoderick Milne [MSFT]
Server 2012 R2 SSLLabs Report

Windows Server 2012 R2 was a great platform and was very widly adopted.  Unlike it’s less popular step-sister, Server 2012.  At least the R2 product had a start button, rather than the start pixel….

However, it really does show its age when viewed under a modern security lens.  Unsurprisingly, things have changed from a security perspective over the last decade. Not all of the Server 2012 R2 defaul… Read the rest “Joys of Server 2012 R2 TLS Defaults in June 2022”

1

How To Request Certificate Without Using IIS or Exchange–Updated 2022

Posted on by Rhoderick Milne [MSFT]

Back in the year 2014 the post How To Request Certificate Without Using IIS or Exchange was released to help create TLS certificates. One of the main use cases was Active Directory Federation Services (AD FS) as in 2014 it was pretty much a requirement for enterprise migration to Office 365.  Password Hash Sync (PHS) and Pass Through Authentication (PTA) were still a twinkle in a developer’s eye….

I… Read the rest “How To Request Certificate Without Using IIS or Exchange–Updated 2022”

0

Wildcard Certificate ERR_CERT_COMMON_NAME_INVALID

Posted on by Rhoderick Milne [MSFT]

The below is a reproduction of a customer situation where they moved from a SAN certificate to a wildcard cert thinking that it would be “easy”.  The certificate in question was issued from their internal Windows CA and was installed onto Exchange.  No issues were noted until they tried to then bind the certificate to Exchange and users immediately started to get errors in their browser.    In Chr… Read the rest “Wildcard Certificate ERR_CERT_COMMON_NAME_INVALID”

0

Change Certificate Friendly Name To Unique Value

Posted on by Rhoderick Milne [MSFT]

Imagine that you have two certificates installed, but for whatever reason the same friendly name was used for both of them.  You can certainly identity each of them by comparing the valid from/valid to dates or the thumbprint.  That adds just a little extra overhead that you may not want to deal with.

As an alternative, you can modify the friendly name  to a more suitable value.  This allows you to… Read the rest “Change Certificate Friendly Name To Unique Value”

7

Unable To Renew Exchange Certificate – Friendly Name Is Too Long

Posted on by Rhoderick Milne [MSFT]

Your Exchange certificate is about to expire, so you initiate a standard process to renew it.  It's only a 5 minute job as that's how long it took last time, right?

Well, no.  All is fine until you try to renew the existing certificate.  The easiest way to initiate the renewal is by using the Renew option in the Exchange Admin Center.

The current certificate is the one selected in the below screensho… Read the rest “Unable To Renew Exchange Certificate – Friendly Name Is Too Long”

13

Should I Overwrite The Default Exchange SMTP Certificate?

Posted on by Rhoderick Milne [MSFT]
Exchange Prompt To Overwrite Default SMTP Certificate

When adding a TLS certificate on an Exchange server, the inevitable prompt will appear to enquire if you wish to overwrite the default SMTP certificate binding.  While the UI in the current versions of Exchange is slightly different, it was basically the same prompt in Exchange 2010 & Exchange 2007.

Exchange Prompt To Overwrite Default SMTP Certificate

While the prompt language was the same in Exchange 2007 and newer versions, the way that transpo… Read the rest “Should I Overwrite The Default Exchange SMTP Certificate?”

0

HealthChecker Script & Schannel TLS Registry Issues

Posted on by Rhoderick Milne [MSFT]
Health Checker Issue With TLS Registry Keys

Unfortunately issues can arise when third-party tools are used to modify TLS settings on a Windows Server. While these utilities are often intended to simplify the process of hardening or tuning protocols, they can introduce serious side effects.  Especially in environments running applications like Exchange Server, IIS or other components that depend on schannel. Misapplied registry changes, unsu… Read the rest “HealthChecker Script & Schannel TLS Registry Issues”

2

Exchange Managed Availability Error – OutlookRpcSelfTestProbe

Posted on by Rhoderick Milne [MSFT]

This case illustrates the "fun" with Managed Availability a particular customer had after making changes to their servers.  The servers were built back in 2014, and as such the default self signed certificates had expired and were previously replaced.  This is because the Exchange self signed certificates have a 5 year validity period.

It was noted that Managed Availability was not healthy in all r… Read the rest “Exchange Managed Availability Error – OutlookRpcSelfTestProbe”

3

A Tale of Two Certificates–SHA1 Certificate Created During Exchange 2016 Installation

Posted on by Rhoderick Milne [MSFT]

The security space is constantly evolving, and while a lot of the recent work has been on moving to TLS 1.2, a previous focus in the industry was to stop issuing SHA1 certificates and transition to SHA2 based certificates.  As a result, many will run security scans to review the presence of installed certificates and their properties.  In one such engagement, the security team noted their displeas… Read the rest “A Tale of Two Certificates–SHA1 Certificate Created During Exchange 2016 Installation”

2

Exchange Setup – Certificate Is Expired – Part Deux

Posted on by Rhoderick Milne [MSFT]
Exchange Setup Certificate Expired

Previously I managed to break one of my labs when replicating a customer situation and then had to fix it as noted in this post from 2017.

This time around though I really raised my game, and instead of one certificate being expired, all of them were.  Yup every cert was toast.  Trying to install the Exchange CU to update to the latest build did not go well at all.  As you see below, all of the cer… Read the rest “Exchange Setup – Certificate Is Expired – Part Deux”