Solved

Assitance required setting up a 'Digital Certificate'

Posted on 2008-10-16
11
379 Views
Last Modified: 2008-10-16
After running the Exchange 2003 Best Practises tool, one of the things it mentioned was:

Certificate principal mismatch.
The pricipal certificate for SSL certificate 'https://my-domain.com' does not match the host address.  Host address my-domain.com. Principal:CN=mail.mycompanyname-exchange.co.uk

Our webmail users login by going to:

https://mail.mycompany-exchange.co.uk/exchange/

And are always get prompted:

There is a problem with this website's security certificate.
   
The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
We recommend that you close this webpage and do not continue to this website.  
Click here to close this webpage.  
Continue to this website (not recommended).  

Clicking continue takes them into webmail, but I'd like to fix this.

What do I need to do to get a new certificate installed to bring the server 'up to code'?
0
Comment
Question by:-Juddy-
  • 6
  • 4
11 Comments
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22729629
If you are going to get a new certificate, then you need to do a certificate request (make sure that the server name and domain name are correct and exact) from the mail server - send this th the certificate supplier, and when you get the certificate back, import it into the mail server, replacing the existing one.
Hope this helps.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 22729657
The error that is reported on the clients:
> The security certificate presented by this website was not issued by a trusted certificate authority.

can be resolved by either:
1. clients installing the CA certificate that issued your SSL certificate
2. you buy a certificate from a trusted root CA such as thawte, verisign, etc.

Additionally the CN (common name) in the certificate must be the same as the web server address where the certificate is used - so in your case:
mail.mycompanyname-exchange.co.uk
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730159
In answer to Robins post, how do I go about issuing a request from the server for a new certificate, this is new ground for me.
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730310
In exchange system manager, expand administrative groups / servers / servername / protocols /SMTP, select the virtual server that you want to create the request for, right-click and select properties, select the Access tab, click on the certificates button, follow the prompts (select create new cert when it asks); save the file where you can find it (normally called certreq), as it is that file that you will send to the certification authority.
Hope this helps...
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730552
Strange.  I followed your instructions, but when I get as far as clicking the certificates button, I get the 'Welcome to the Web Server Certifcate Wizard', click next but there is no option to create a new certificate.  I have:

Renew, Remove, Replace, Export and Copy or Move.

 If I select Replace I have a raft of other certificates to choose from:

corp.mydomain.com      (this is registered name on our ISP's DNS servers)
owa.mydomain.com
owa.mail.mydomain-exchange.co.uk
ownmydomain.com
mail.mydomain.co.uk
mail.mydomain.co.uk/exchange

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730649
The one you need to replace is the owa.mail one - see if you can replace that one and if it generates a new certificate request (if not you can always cancel before finish)
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730718
Ok, got myself into a positon to create a new IIS certificate.  Started the wizard, it will only allow me to prepare the request now and send it later.  The name it gives is Deafult SMTP Virtual Server (is this ok) and Bit length of 1024 (again, ok?).  Do I tick the Select CSP for this certificate?
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730846
smtp server is fine, bit length is ok, select CSP depends on whether you are using a CSP (cryptographic service provider) - I'd suggest you accept the default..
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730864
oh, and prepare now and send later is the default and is fine - you save it and send the request to the cert auth
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22731107
Ok, I'm about to create a certificate request and send it off to Verisgn (or Thwaite, or another recommendation?) using these settings:

Name: Default SMTP Server
Bit Length: 1024
CSP: Unticked
Organisation:My company name
Organisational unit: I.T.
Common Name: mail.mycompanyname-exchange.co.uk
Country/Region: GB (United Kingdom)
State Province: West Midlands (the drop down had no alternatives, so I entered this manually)
City/locality:1720207907 (system generated, is this right?)

0
 
LVL 12

Accepted Solution

by:
RobinHuman earned 250 total points
ID: 22731256
That looks ok to me - other security providers are Entrust, and InstantSSL by comodo
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now