Solved

Assitance required setting up a 'Digital Certificate'

Posted on 2008-10-16
11
378 Views
Last Modified: 2008-10-16
After running the Exchange 2003 Best Practises tool, one of the things it mentioned was:

Certificate principal mismatch.
The pricipal certificate for SSL certificate 'https://my-domain.com' does not match the host address.  Host address my-domain.com. Principal:CN=mail.mycompanyname-exchange.co.uk

Our webmail users login by going to:

https://mail.mycompany-exchange.co.uk/exchange/

And are always get prompted:

There is a problem with this website's security certificate.
   
The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
We recommend that you close this webpage and do not continue to this website.  
Click here to close this webpage.  
Continue to this website (not recommended).  

Clicking continue takes them into webmail, but I'd like to fix this.

What do I need to do to get a new certificate installed to bring the server 'up to code'?
0
Comment
Question by:-Juddy-
  • 6
  • 4
11 Comments
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22729629
If you are going to get a new certificate, then you need to do a certificate request (make sure that the server name and domain name are correct and exact) from the mail server - send this th the certificate supplier, and when you get the certificate back, import it into the mail server, replacing the existing one.
Hope this helps.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 22729657
The error that is reported on the clients:
> The security certificate presented by this website was not issued by a trusted certificate authority.

can be resolved by either:
1. clients installing the CA certificate that issued your SSL certificate
2. you buy a certificate from a trusted root CA such as thawte, verisign, etc.

Additionally the CN (common name) in the certificate must be the same as the web server address where the certificate is used - so in your case:
mail.mycompanyname-exchange.co.uk
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730159
In answer to Robins post, how do I go about issuing a request from the server for a new certificate, this is new ground for me.
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730310
In exchange system manager, expand administrative groups / servers / servername / protocols /SMTP, select the virtual server that you want to create the request for, right-click and select properties, select the Access tab, click on the certificates button, follow the prompts (select create new cert when it asks); save the file where you can find it (normally called certreq), as it is that file that you will send to the certification authority.
Hope this helps...
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730552
Strange.  I followed your instructions, but when I get as far as clicking the certificates button, I get the 'Welcome to the Web Server Certifcate Wizard', click next but there is no option to create a new certificate.  I have:

Renew, Remove, Replace, Export and Copy or Move.

 If I select Replace I have a raft of other certificates to choose from:

corp.mydomain.com      (this is registered name on our ISP's DNS servers)
owa.mydomain.com
owa.mail.mydomain-exchange.co.uk
ownmydomain.com
mail.mydomain.co.uk
mail.mydomain.co.uk/exchange

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730649
The one you need to replace is the owa.mail one - see if you can replace that one and if it generates a new certificate request (if not you can always cancel before finish)
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22730718
Ok, got myself into a positon to create a new IIS certificate.  Started the wizard, it will only allow me to prepare the request now and send it later.  The name it gives is Deafult SMTP Virtual Server (is this ok) and Bit length of 1024 (again, ok?).  Do I tick the Select CSP for this certificate?
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730846
smtp server is fine, bit length is ok, select CSP depends on whether you are using a CSP (cryptographic service provider) - I'd suggest you accept the default..
0
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22730864
oh, and prepare now and send later is the default and is fine - you save it and send the request to the cert auth
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 22731107
Ok, I'm about to create a certificate request and send it off to Verisgn (or Thwaite, or another recommendation?) using these settings:

Name: Default SMTP Server
Bit Length: 1024
CSP: Unticked
Organisation:My company name
Organisational unit: I.T.
Common Name: mail.mycompanyname-exchange.co.uk
Country/Region: GB (United Kingdom)
State Province: West Midlands (the drop down had no alternatives, so I entered this manually)
City/locality:1720207907 (system generated, is this right?)

0
 
LVL 12

Accepted Solution

by:
RobinHuman earned 250 total points
ID: 22731256
That looks ok to me - other security providers are Entrust, and InstantSSL by comodo
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now