Certificates

TLS certificates and associated fun operations

0

Joys of Server 2012 R2 TLS Defaults in June 2022

Posted on by Rhoderick Milne [MSFT]
Server 2012 R2 SSLLabs Report

Windows Server 2012 R2 was a great platform and was very widly adopted.  Unlike it’s less popular step-sister, Server 2012.  At least the R2 product had a start button, rather than the start pixel….

However, it really does show its age when viewed under a modern security lens.  Unsurprisingly, things have changed from a security perspective over the last decade. Not all of the Server 2012 R2 defaul… Read the rest “Joys of Server 2012 R2 TLS Defaults in June 2022”

1

How To Request Certificate Without Using IIS or Exchange–Updated 2022

Posted on by Rhoderick Milne [MSFT]

Back in the year 2014 the post How To Request Certificate Without Using IIS or Exchange was released to help create TLS certificates. One of the main use cases was Active Directory Federation Services (AD FS) as in 2014 it was pretty much a requirement for enterprise migration to Office 365.  Password Hash Sync (PHS) and Pass Through Authentication (PTA) were still a twinkle in a developer’s eye….

I… Read the rest “How To Request Certificate Without Using IIS or Exchange–Updated 2022”

0

Change Certificate Friendly Name To Unique Value

Posted on by Rhoderick Milne [MSFT]

Imagine that you have two certificates installed, but for whatever reason the same friendly name was used for both of them.  You can certainly identity each of them by comparing the valid from/valid to dates or the thumbprint.  That adds just a little extra overhead that you may not want to deal with.

As an alternative, you can modify the friendly name  to a more suitable value.  This allows you to… Read the rest “Change Certificate Friendly Name To Unique Value”

7

Unable To Renew Exchange Certificate – Friendly Name Is Too Long

Posted on by Rhoderick Milne [MSFT]

Your Exchange certificate is about to expire, so you initiate a standard process to renew it.  It's only a 5 minute job as that's how long it took last time, right?

Well, no.  All is fine until you try to renew the existing certificate.  The easiest way to initiate the renewal is by using the Renew option in the Exchange Admin Center.

The current certificate is the one selected in the below screensho… Read the rest “Unable To Renew Exchange Certificate – Friendly Name Is Too Long”

13

Should I Overwrite The Default Exchange SMTP Certificate?

Posted on by Rhoderick Milne [MSFT]
Exchange Prompt To Overwrite Default SMTP Certificate

When adding a TLS certificate on an Exchange server, the inevitable prompt will appear to enquire if you wish to overwrite the default SMTP certificate binding.  While the UI in the current versions of Exchange is slightly different, it was basically the same prompt in Exchange 2010 & Exchange 2007.

Exchange Prompt To Overwrite Default SMTP Certificate

While the prompt language was the same in Exchange 2007 and newer versions, the way that transpo… Read the rest “Should I Overwrite The Default Exchange SMTP Certificate?”

2

Exchange Managed Availability Error – OutlookRpcSelfTestProbe

Posted on by Rhoderick Milne [MSFT]

This case illustrates the "fun" with Managed Availability a particular customer had after making changes to their servers.  The servers were built back in 2014, and as such the default self signed certificates had expired and were previously replaced.  This is because the Exchange self signed certificates have a 5 year validity period.

It was noted that Managed Availability was not healthy in all r… Read the rest “Exchange Managed Availability Error – OutlookRpcSelfTestProbe”

3

A Tale of Two Certificates–SHA1 Certificate Created During Exchange 2016 Installation

Posted on by Rhoderick Milne [MSFT]

The security space is constantly evolving, and while a lot of the recent work has been on moving to TLS 1.2, a previous focus in the industry was to stop issuing SHA1 certificates and transition to SHA2 based certificates.  As a result, many will run security scans to review the presence of installed certificates and their properties.  In one such engagement, the security team noted their displeas… Read the rest “A Tale of Two Certificates–SHA1 Certificate Created During Exchange 2016 Installation”

2

Exchange Setup – Certificate Is Expired – Part Deux

Posted on by Rhoderick Milne [MSFT]
Exchange Setup Certificate Expired

Previously I managed to break one of my labs when replicating a customer situation and then had to fix it as noted in this post from 2017.

This time around though I really raised my game, and instead of one certificate being expired, all of them were.  Yup every cert was toast.  Trying to install the Exchange CU to update to the latest build did not go well at all.  As you see below, all of the cer… Read the rest “Exchange Setup – Certificate Is Expired – Part Deux”

7

Easy Way To Retrieve Certificate Thumbprint Using PowerShell

Posted on by Rhoderick Milne [MSFT]

Since many certificate operations involve knowing the certificate’s thumbprint, it is always useful to to have an easy way to get this information.  In some of the online documentation it mentions you can copy the thumbprint out of the Certificate MMC snap-in and then manually delete the spaces between the data.  No thanks.

However, if you *really* want to do that, or a quick and easy way to launch… Read the rest “Easy Way To Retrieve Certificate Thumbprint Using PowerShell”

1

Exchange Self Signed SHA2 Certificates

Posted on by Rhoderick Milne [MSFT]

In recent builds, Exchange has been updated to support the newer SHA2 certificates.  Exchange 2010 SP3 RU13 and Exchange 2013 CU 12 updated the SMIME control’s certificate to SHA2.

Additionally, Exchange 2013 CU13 and Exchange 2016 CU2 added support for generating the self signed certificates as SHA2 certs.

The below is for reference to save having to spin up labs in the future to review differences i… Read the rest “Exchange Self Signed SHA2 Certificates”