Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Exchange 2010: Fix for an Invalid certificate and related issues

Published on
6,450 Points
Last Modified:
Exchange Server, Windows Server, Active Directory, Virtualization Expert.
This article will help to fix the below error for MS Exchange server 2010
I. Out Of office not working
II. Certificate error "name on the security certificate is invalid or does not match the name of the site"
III. Make Internal URLs and External URLs the same.
IV. Addressbook download issue.

Most administrators don't check the complete URLs which Exchange uses for serving MAPI clients or miss URLs to set and add certificate names after installing Exchange server. Below are fixes for those errors.

1. First make sure you have a Forward lookup zone named "externaldomain.com"  in your internal DNS server (as in the screenshot).

2. Then create the below A record in the newly created zone which points to exchange CAS/HUB server IP or load balancer IP if you have one (as in screeshot).
     a) autodiscover.domain.com
     b) mail.domain.com (common name)

3. Then make sure you have all the required names added as SANs in your SSL Certificate. The below names should be present for a single domain exchange. 
     a) mail.domain.com (common name)
     b) autodiscover.domain.com

Please use this command to list you SANs/names in the certificate.

Get-ExchangeCertificate | fl Issuer,CertificateDomains

3.1 If you have multiple domains you have to add below SANs in your SSL Certificate. 
     a) mail.domain1.com (common name1)
     b) autodiscover.domain1.com
     c) mail.domain2.com (common name2)
     d) autodiscover.domain2.com


3.1.1 You can have one common name and one autodiscover name in certificate and redirect all common names to commonname.domain1.com and redirect all autodiscover to autodiscover.domain1.com as below. 
     a) mail.domain1.com (common name1) ----> A record points to Exchange server IP
     b) autodiscover.domain1.com ------> A record points to Exchange server IP
     c) mail.domain2.com (common name2)  CNAME points to mail.domain1.com
     d) autodiscover.domain2.com CNAME points to autodiscover.domain1.com

4. Make sure IIS is enabled on the installed certificate.
Type "Get-ExchangeCertificate" in Exchange Management Shell and see IIS enabled or no.

Exchange 2010 Shell
Before services enabled

After services enabled

Use the command shown below to enable the services. You can change the services according to your requirement. but IIS is mandatory.

 Enable-ExchangeCertificate -Services IMAP, IIS, SMTP -thumbprint 896B74B25F7EBF330C93E56DA2A76CFC6A7 

Exchange 2010
You can assign/enable services certificate in Exchange 2010 from the MMC. Below is the steps with screenshot showing how you can enable/assign services.

 I. Right click on the imported certificate and click on "Assign services to certificate"

II. Click server name and click next.

 III. Tick the services to assign and click "Next". Click YES when you get a prompt to overwrite the existing certificate(self-signed) for SMTP. Select POP and IMAP if required, IIS and SMTP is required.

You can read this TechNet article for more information on how to assign services to certificate in Exchange2010. 

5. Enter the below command in Exchange Management Shell and see the Autodicover URLs are  set. 

 Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri                                                         

If you see the default URLs set by exchange installation (as above) use the below command to set it to the same as external.                                      

Set-ClientAccessServer -Identity server1 -AutoDiscoverServiceInternalUri "https://mail.exchange.online/autodiscover/autodiscover.xml"

You should see the following after running the command.

6. Enter the below command in Exchange Management Shell and see the offline address book URLs are set.                                                                                                              

Get-OabVirtualDirectory |  fl Server,Name,internalurl,externalurl

If you see the default URLs set by exchange installation use the below command to set it to the same as external.

Set-OabVirtualDirectory -Identity "server1\oab (default web site)" -InternalUrl https://mail.domain.com/oab -ExternalUrl https://mail.domain.com/oab

You should see the following after running the command.


I. In Exchange 2010 OAB URLs can be set from the EMC.  Right Click on "OAB(Default Web site)" and click Properties (as in the screenshot).

II.Type the URLs here and click "Apply" and "OK"

7. Enter the below command in Exchange Management Shell and see the exchange web services URLs are set.

Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl

If you see the default URLs set by exchange installation use the below command to set it to the same as external.                                        

set-WebservicesVirtualDirectory -Identity "server1\EWS (default web site)" -InternalUrl https://mail.exchange.online/EWS/Exchange.asmx  -ExternalUrl https://mail.exchange.online/EWS/Exchange.asmx

You should see the following after running the command.

8.On a client workstation; Check to see that the Out of Office URL is correct in a client's Outlook.
Press Ctrl and right-click on the Outlook icon located in your system tray, you can select Test E-mail AutoConfiguration.

Enter the email address of the mailbox you have opened and the password. Since we are not using POP3 or IMAP, there is no reason to leave the GuessSmart checkboxes checked.

After clicking Test, you will get the URL used to configure OOF.

Now you should have all your errors cleared.

To clear certificate error in Exchange2007. Please check follow this.

To clear certificate error in Exchange2013. Please check follow this.

Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Join & Write a Comment

In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month