Changing my SSL certificate to get Activesync to work

Posted on 2006-06-04
Medium Priority
Last Modified: 2008-03-17
I'm somewhat new to this area, but I know enough to get by.  I recently tried to configure my Treo to use activesync with my exchange server.  We have an SSL in place where the common name of the domain in the SSL is different from the actual domain.  If I wanted to get a new certificate, how do I go about it.  

What I was doing, was going to the IIS under the default website and removing the current certificate and making a new request.  I had a site to get one for free by copying the request text and everything was going good, but I couldn't get the confirmation email because with the certificate removed, I couldn't get my email.  

Can anyone tell me the best steps to get this done.  I have a bunch of people with the Treo's and can't sync.

Also, I tried a cert with godaddy.com, but I then find out that our domain has the wrong admin listed in the whois database, which is a whole differnt problem i'm now working on.
Question by:eshara55
  • 3
  • 2
LVL 104

Accepted Solution

Sembee earned 2000 total points
ID: 16827487
It doesn't matter what the name on the certificate is, as long as it is the same name that you enter in to the device and it resolves correctly.

I actually recommend using a different name on the certificate to the server's real name.
For example the server could be server1.domain.local but the certificate has the common name of mail.domain.com - and mail.domain.com resolves to the Exchange server.
If you have MX records in place already to point at the Exchange server then there is nothing to stop you from using the same name for your SSL certificate. I do that all the time.

Removing the certificate should not have stopped you from receiving your email, unless you are trying to get the email via OWA, OMA, EAS or RPC over HTTPS. If you are using regular Outlook then you should be able to collect email.

However the problem with your Treos could be the lack of root certificate. If you are using any of the low cost/free certificates then the root certificate will not be installed on the device. This means the device will not accept the certificate on the server. You will need to get the root certificate on to the device so that your own certificate is trusted by the handheld.

Try a certificate from RapidSSL. You will still need the root certificate, but it isn't a chained certificate like some of the other low end certificates making the deployment much easier. I have guidance on getting the root certificate on to the device on my web site: http://www.amset.info/pocketpc/certificates.asp


Author Comment

ID: 17140064
Ok, so I got the new cert from rapidssl and installed it.  When trying to do an sync, I got a different error message.  Told me I have an invalid certificate installed.  I installed the root on the Treo as well.  Also, with the new cert, I was not able to get into my public exchange folders through the system manager.  That as well said I had an invalid cert.

With the original cert, the sync error is telling me I have a differnt host name than common name???

Is there a step I am doing wrong???
LVL 104

Expert Comment

ID: 17141184
If you browse to https://servername.domain.com/oma on the device then you will get the certificate prompt.
That will tell you which element is failing.
Furthermore, if the problem is with the certificate itself, as opposed to certificate support, then you could browse to the same address on a desktop and get a similar error.

The common name that you applied for in the certificate needs to match the name that you are giving to the users, BUT does NOT have to match the server's real name.

So the server could be called exchsvr01.domain.local but you are giving the users mail.domain.com
It is the mail.domain.com that would be the common name of the certificate.


Author Comment

ID: 17177012
Here's what I got...

Outlook(R) Mobile Access is supported only on Microsoft(R) Exchange Server 2003. Currently your mailbox is stored on an older version of Exchange server. Please contact your system administrator for additional assistance.

I'm on 2003?????
LVL 104

Expert Comment

ID: 17178137
Check out this article, and the one that it links to.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question