Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 397
  • Last Modified:

Assitance required setting up a 'Digital Certificate'

After running the Exchange 2003 Best Practises tool, one of the things it mentioned was:

Certificate principal mismatch.
The pricipal certificate for SSL certificate 'https://my-domain.com' does not match the host address.  Host address my-domain.com. Principal:CN=mail.mycompanyname-exchange.co.uk

Our webmail users login by going to:

https://mail.mycompany-exchange.co.uk/exchange/

And are always get prompted:

There is a problem with this website's security certificate.
   
The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
We recommend that you close this webpage and do not continue to this website.  
Click here to close this webpage.  
Continue to this website (not recommended).  

Clicking continue takes them into webmail, but I'd like to fix this.

What do I need to do to get a new certificate installed to bring the server 'up to code'?
0
-Juddy-
Asked:
-Juddy-
  • 6
  • 4
1 Solution
 
RobinHumanCommented:
If you are going to get a new certificate, then you need to do a certificate request (make sure that the server name and domain name are correct and exact) from the mail server - send this th the certificate supplier, and when you get the certificate back, import it into the mail server, replacing the existing one.
Hope this helps.
0
 
BlazCommented:
The error that is reported on the clients:
> The security certificate presented by this website was not issued by a trusted certificate authority.

can be resolved by either:
1. clients installing the CA certificate that issued your SSL certificate
2. you buy a certificate from a trusted root CA such as thawte, verisign, etc.

Additionally the CN (common name) in the certificate must be the same as the web server address where the certificate is used - so in your case:
mail.mycompanyname-exchange.co.uk
0
 
-Juddy-Author Commented:
In answer to Robins post, how do I go about issuing a request from the server for a new certificate, this is new ground for me.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
RobinHumanCommented:
In exchange system manager, expand administrative groups / servers / servername / protocols /SMTP, select the virtual server that you want to create the request for, right-click and select properties, select the Access tab, click on the certificates button, follow the prompts (select create new cert when it asks); save the file where you can find it (normally called certreq), as it is that file that you will send to the certification authority.
Hope this helps...
0
 
-Juddy-Author Commented:
Strange.  I followed your instructions, but when I get as far as clicking the certificates button, I get the 'Welcome to the Web Server Certifcate Wizard', click next but there is no option to create a new certificate.  I have:

Renew, Remove, Replace, Export and Copy or Move.

 If I select Replace I have a raft of other certificates to choose from:

corp.mydomain.com      (this is registered name on our ISP's DNS servers)
owa.mydomain.com
owa.mail.mydomain-exchange.co.uk
ownmydomain.com
mail.mydomain.co.uk
mail.mydomain.co.uk/exchange

0
 
RobinHumanCommented:
The one you need to replace is the owa.mail one - see if you can replace that one and if it generates a new certificate request (if not you can always cancel before finish)
0
 
-Juddy-Author Commented:
Ok, got myself into a positon to create a new IIS certificate.  Started the wizard, it will only allow me to prepare the request now and send it later.  The name it gives is Deafult SMTP Virtual Server (is this ok) and Bit length of 1024 (again, ok?).  Do I tick the Select CSP for this certificate?
0
 
RobinHumanCommented:
smtp server is fine, bit length is ok, select CSP depends on whether you are using a CSP (cryptographic service provider) - I'd suggest you accept the default..
0
 
RobinHumanCommented:
oh, and prepare now and send later is the default and is fine - you save it and send the request to the cert auth
0
 
-Juddy-Author Commented:
Ok, I'm about to create a certificate request and send it off to Verisgn (or Thwaite, or another recommendation?) using these settings:

Name: Default SMTP Server
Bit Length: 1024
CSP: Unticked
Organisation:My company name
Organisational unit: I.T.
Common Name: mail.mycompanyname-exchange.co.uk
Country/Region: GB (United Kingdom)
State Province: West Midlands (the drop down had no alternatives, so I entered this manually)
City/locality:1720207907 (system generated, is this right?)

0
 
RobinHumanCommented:
That looks ok to me - other security providers are Entrust, and InstantSSL by comodo
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now