The Self-Signed certificate in Exchange 2007 (generated automatically during the installation process) is valid for one year. When it expires, Microsoft Outlook 2007 clients on the domain will start getting a pop-up security warning, and constantly confirming it could become quite annoying.

The Self-Signed certificate is not trusted by your clients as the issuer is not in the list of trusted root certification authorities. That causes the pop-up warning in OWA (Outlook Web Access) clients and is one of the problems, when configuring Outlook Anywhere. In Step3 bellow we demonstrate an easy and straight forward way to install the Self-Signed certificate in Windows XP and Windows Vista clients and solve this issue.

Finally, the default Exchange 2007 Self-Signed certificate, generated during the installation, includes only two names – Exchange Server NetBIOS and Exchange internal FQDN (Active Directory Fully Qualified Domain Name). You need to have at least Exchange Server public name and autodiscover name included also in the Certificate, if you want to configure Outlook Anywhere (RPC over HTTP) and avoid the OWA security pop-up warming.

You might find this Screencast helpful, if you are in the following situation:
– The Self-Signed certificate, generated by Exchange 2007 installation has expired and you are getting Event ID: 12014 and 12015 in the Event log, plus the complaints of Outlook 2007 users about the security alert “The security certificate has expired or is not yet valid”.
– You want to enable and configure Outlook Anywhere, without purchasing a commercial multiple domain certificate.
– You want to get rid of the annoying security pop-up warning which OWA (Outlook Web Access) users are getting.

You have the following options:
– Generate a new Self-Signed certificate using Exchange Management Shell and replace the old one – Step2 in this Screencast
– Install and configure Windows CA (Certificate Authority), and request a multiple domain SSL certificate from it – we will demonstrate this scenario, in details in a separate Screencast.
– Purchase and install a commercial SSL certificate – this is already covered in details in our Exchange 2007 Screencast series.

In the following Step-by-Step Screencast, we demonstrate how to generate a new Self-Signed certificate in Exchange Server 2007 which includes all the necessary names in it. You can also see how to enable the SSL certificate for the Exchange services and remove the old one.

For your convenience, we provide the text file with the shell commands, used in the tutorial here.

Step 1 In the first step, we check the status of the default Self-Signed certificate in Exchange 2007. We also demonstrate the Security Alert which Outlook 2007 users will see when this certificate expires.

Step 2 Next, we take a look at the names which should be included in the Exchange SSL certificate and demonstrate how to generate a new Self-Signed certificate with the required domain names. Once we confirm the result, we enable the new SSL certificate for Exchange services and remove the old one.

Step 3 Finally, we demonstrate an easy way to install the Self-Signed certificate in Windows XP and Windows Vista remote clients and test the result.