Solved

Assitance required setting up a 'Digital Certificate'

Posted on 2008-10-16
11
387 Views
Last Modified: 2008-10-16
After running the Exchange 2003 Best Practises tool, one of the things it mentioned was:

Certificate principal mismatch.
The pricipal certificate for SSL certificate 'https://my-domain.com' does not match the host address.  Host address my-domain.com. Principal:CN=mail.mycompanyname-exchange.co.uk

Our webmail users login by going to:

https://mail.mycompany-exchange.co.uk/exchange/

And are always get prompted:

There is a problem with this website's security certificate.
   
The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
We recommend that you close this webpage and do not continue to this website.  
Click here to close this webpage.  
Continue to this website (not recommended).  

Clicking continue takes them into webmail, but I'd like to fix this.

What do I need to do to get a new certificate installed to bring the server 'up to code'?
0
Comment
Question by:-Juddy-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22729629
If you are going to get a new certificate, then you need to do a certificate request (make sure that the server name and domain name are correct and exact) from the mail server - send this th the certificate supplier, and when you get the certificate back, import it into the mail server, replacing the existing one.
Hope this helps.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 22729657
The error that is reported on the clients:
> The security certificate presented by this website was not issued by a trusted certificate authority.

can be resolved by either:
1. clients installing the CA certificate that issued your SSL certificate
2. you buy a certificate from a trusted root CA such as thawte, verisign, etc.

Additionally the CN (common name) in the certificate must be the same as the web server address where the certificate is used - so in your case:
mail.mycompanyname-exchange.co.uk
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730159
In answer to Robins post, how do I go about issuing a request from the server for a new certificate, this is new ground for me.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730310
In exchange system manager, expand administrative groups / servers / servername / protocols /SMTP, select the virtual server that you want to create the request for, right-click and select properties, select the Access tab, click on the certificates button, follow the prompts (select create new cert when it asks); save the file where you can find it (normally called certreq), as it is that file that you will send to the certification authority.
Hope this helps...
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730552
Strange.  I followed your instructions, but when I get as far as clicking the certificates button, I get the 'Welcome to the Web Server Certifcate Wizard', click next but there is no option to create a new certificate.  I have:

Renew, Remove, Replace, Export and Copy or Move.

 If I select Replace I have a raft of other certificates to choose from:

corp.mydomain.com      (this is registered name on our ISP's DNS servers)
owa.mydomain.com
owa.mail.mydomain-exchange.co.uk
ownmydomain.com
mail.mydomain.co.uk
mail.mydomain.co.uk/exchange

0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730649
The one you need to replace is the owa.mail one - see if you can replace that one and if it generates a new certificate request (if not you can always cancel before finish)
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730718
Ok, got myself into a positon to create a new IIS certificate.  Started the wizard, it will only allow me to prepare the request now and send it later.  The name it gives is Deafult SMTP Virtual Server (is this ok) and Bit length of 1024 (again, ok?).  Do I tick the Select CSP for this certificate?
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730846
smtp server is fine, bit length is ok, select CSP depends on whether you are using a CSP (cryptographic service provider) - I'd suggest you accept the default..
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730864
oh, and prepare now and send later is the default and is fine - you save it and send the request to the cert auth
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22731107
Ok, I'm about to create a certificate request and send it off to Verisgn (or Thwaite, or another recommendation?) using these settings:

Name: Default SMTP Server
Bit Length: 1024
CSP: Unticked
Organisation:My company name
Organisational unit: I.T.
Common Name: mail.mycompanyname-exchange.co.uk
Country/Region: GB (United Kingdom)
State Province: West Midlands (the drop down had no alternatives, so I entered this manually)
City/locality:1720207907 (system generated, is this right?)

0
 
LVL 12

Accepted Solution

by:
RobinHuman earned 250 total points
ID: 22731256
That looks ok to me - other security providers are Entrust, and InstantSSL by comodo
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question