Self-signed Certificate Request for TLS

Exchange 2007 creates a self-signed certificate during installation that uses all the server and domain names that are known to Exchange at the time of installation for use with services like SMTP, IMAP, POP, IIS and UM. These certificates are valid for 12 months.

The self-signed certificate meets an important need – securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It’s not recommended to use these for any client communication on an ongoing basis.

When these certificates reaches the expiry date, some Warnings will be generated in Event log as follows:

1. The STARTTLS certificate will expire soon: subject:servername.domainname.com, hours remaining: B33EF13A248E1FC31414FF29BAC5A1041D54D27F. Run the New-ExchangeCertificate cmdlet to create a new certificate.
2. A direct trust certificate will expire soon. Thumbprint:B33EF13A248E1FC31414FF29BAC5A1041D54D27F, hours remaining: 411

It may make sense to clone the existing certificates. Be aware that only the certificate metadata and not the key sets are cloned.To run the following cmdlets on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

• To clone a new certificate from an existing certificate, you must first identify the current certificate for the domain by running the following command:

Get-ExchangeCertificate –DomainName mail1.contoso.com

Where mail1.contoso.com is the server name or the FQDN that you want to make a cloned certificate of.

The first certificate that is listed in the output is the default SMTP TLS certificate for the server.

• To clone the certificate, run the following command:

Get-ExchangeCertificate –Thumbprint b4268cd7065c87cb942d60f7293feb7d533a4cfd | New-ExchangeCertificate

Where the value for Thumbprint is from the first certificate that was listed in the output for Get-ExchangeCertificate. This command extracts the names from the existing certificate that are identified by the thumbprint and uses them in the new self-signed certificate.

• If the existing certificate is being used for SMTP, you will be asked for a confirmation to overwrite. Type ‘Y’ to continue. A new certificate will be generated. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – It will not be enabled for IIS.

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint “7WA56741539DBA19D1A43A6C8161ED2D0B3B9E6G” -services IIS

If there is Edge Transport Server in your organisation, it might take some time to synchronise and the mails will be held in the queue until then. Once all the services are working with the new certificate, the old certificate can be removed.

Remove-ExchangeCertificate -thumbprint “b4268cd7065c87cb942d60f7293feb7d533a4cfd”

Make URL(hyperlink) clickable in Microsoft Office Communicator 2007

The URLs in IM windows can be made clickable through a Group Policy called “Allow Hyperlinks in instant messages”

This setting enables Microsoft Office Communicator to replace Internet and network paths with hyperlinks in instant messages. If you enable this policy setting, Communicator will allow active hyperlinks in instant messages.

Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence.

You can download the Communicator 2007 documentation, which provides communicator.adm. Copy communicator.adm to your %windir%\inf directory. Import the communicator administrative template and then edit the policy from there.

If you are using Office Communication Server R2, you will need to make sure that the Intelligent IM filter is configured properly, otherwise the hyperlinks might not be displayed between users.