Improve company productivity with a Business Account.Sign Up

x
?
Solved

Assitance required setting up a 'Digital Certificate'

Posted on 2008-10-16
11
Medium Priority
?
401 Views
Last Modified: 2008-10-16
After running the Exchange 2003 Best Practises tool, one of the things it mentioned was:

Certificate principal mismatch.
The pricipal certificate for SSL certificate 'https://my-domain.com' does not match the host address.  Host address my-domain.com. Principal:CN=mail.mycompanyname-exchange.co.uk

Our webmail users login by going to:

https://mail.mycompany-exchange.co.uk/exchange/

And are always get prompted:

There is a problem with this website's security certificate.
   
The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
We recommend that you close this webpage and do not continue to this website.  
Click here to close this webpage.  
Continue to this website (not recommended).  

Clicking continue takes them into webmail, but I'd like to fix this.

What do I need to do to get a new certificate installed to bring the server 'up to code'?
0
Comment
Question by:-Juddy-
  • 6
  • 4
11 Comments
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22729629
If you are going to get a new certificate, then you need to do a certificate request (make sure that the server name and domain name are correct and exact) from the mail server - send this th the certificate supplier, and when you get the certificate back, import it into the mail server, replacing the existing one.
Hope this helps.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 22729657
The error that is reported on the clients:
> The security certificate presented by this website was not issued by a trusted certificate authority.

can be resolved by either:
1. clients installing the CA certificate that issued your SSL certificate
2. you buy a certificate from a trusted root CA such as thawte, verisign, etc.

Additionally the CN (common name) in the certificate must be the same as the web server address where the certificate is used - so in your case:
mail.mycompanyname-exchange.co.uk
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730159
In answer to Robins post, how do I go about issuing a request from the server for a new certificate, this is new ground for me.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730310
In exchange system manager, expand administrative groups / servers / servername / protocols /SMTP, select the virtual server that you want to create the request for, right-click and select properties, select the Access tab, click on the certificates button, follow the prompts (select create new cert when it asks); save the file where you can find it (normally called certreq), as it is that file that you will send to the certification authority.
Hope this helps...
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730552
Strange.  I followed your instructions, but when I get as far as clicking the certificates button, I get the 'Welcome to the Web Server Certifcate Wizard', click next but there is no option to create a new certificate.  I have:

Renew, Remove, Replace, Export and Copy or Move.

 If I select Replace I have a raft of other certificates to choose from:

corp.mydomain.com      (this is registered name on our ISP's DNS servers)
owa.mydomain.com
owa.mail.mydomain-exchange.co.uk
ownmydomain.com
mail.mydomain.co.uk
mail.mydomain.co.uk/exchange

0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730649
The one you need to replace is the owa.mail one - see if you can replace that one and if it generates a new certificate request (if not you can always cancel before finish)
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730718
Ok, got myself into a positon to create a new IIS certificate.  Started the wizard, it will only allow me to prepare the request now and send it later.  The name it gives is Deafult SMTP Virtual Server (is this ok) and Bit length of 1024 (again, ok?).  Do I tick the Select CSP for this certificate?
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730846
smtp server is fine, bit length is ok, select CSP depends on whether you are using a CSP (cryptographic service provider) - I'd suggest you accept the default..
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730864
oh, and prepare now and send later is the default and is fine - you save it and send the request to the cert auth
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22731107
Ok, I'm about to create a certificate request and send it off to Verisgn (or Thwaite, or another recommendation?) using these settings:

Name: Default SMTP Server
Bit Length: 1024
CSP: Unticked
Organisation:My company name
Organisational unit: I.T.
Common Name: mail.mycompanyname-exchange.co.uk
Country/Region: GB (United Kingdom)
State Province: West Midlands (the drop down had no alternatives, so I entered this manually)
City/locality:1720207907 (system generated, is this right?)

0
 
LVL 12

Accepted Solution

by:
RobinHuman earned 1000 total points
ID: 22731256
That looks ok to me - other security providers are Entrust, and InstantSSL by comodo
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Disk errors can be the source of sundry problems for the Exchange server, the most common one being that the database fails to mount.
In an Exchange Crossforest migration, the distribution groups can be a very complex operation that would cause loss of time, lots of issues and continued headaches if not solved in a timely manner. I had to do a similar project so I created a sc…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question