• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 590
  • Last Modified:

Reenable Self-Signed Certificate for Exchange 2007

I'm setting up an Exchange 2007 server.  I generated a 3rd party certificate and successfully imported it with the Exchange Management Shell.  Then I made (I believe) the mistake of enabling it not only for IIS but also for SMTP.  Now OWA works perfectly but when I try to connect a test user within the domain via Outlook, I get an error saying "The name on the security certificate is invalid or does not match the name of the site."  I understand the error because I didn't include the internal name of the server on the 3rd party certificate.

What I'd like to do, I believe, is use the self-signed certificate (which is still listed in EMS) for the SMTP (Outlook) and the 3rd party certificate (UCC) for IIS (OWA, Activesync).  I've tried using the {Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services "SMTP"} command to assign the SMTP back to the self-signed certificate.  I've even removed the 3rd party certificate using the Remove-ExchangeCertificate cmdlet, but no matter what I do, Outlook clients still are seeing the 3rd party certificate when they connect to Exchange.

Can I get the self-signed certificate back associated with SMTP or must I regenerate the 3rd party certificate?  If the self-signed cert will work, is there a trick to getting it back associated with SMTP that I'm missing?
0
Dan Carp
Asked:
Dan Carp
  • 2
  • 2
1 Solution
 
ParanormasticCryptographic EngineerCommented:
As long as the name is valid on the UC cert, that would be best.  If you made a mistake and did not include the hostname in addition to the rest, or did not include the subject name in the SAN list as well, then you may run into issues.  If you recently got the cert, you should be able to conact the cert vendor and have them issue you a new UC cert with the complete set of names that you need.  You can use the UC cert for SMTP, POP3, OWA, etc.
0
 
Dan CarpIT DirectorAuthor Commented:
Thanks paranormastic... so just to confirm, you suggest that the right way to setup the UCC would be:

server.InternalDomain.com (this is the one I had omitted)
owa.ExternalDomain.com
pop.ExternalDomain.com

etc.
0
 
ParanormasticCryptographic EngineerCommented:
usually
server   (hostname of server)
server.internaldomain.com
owa.externaldomain.comm
autodiscover.externaldomain.com

If you need

pop.external.com
smtp.external.co
then do that - many places alias these to just 'mail.externaldomain.com'

Remember that whichever name is in the CSR as the subject name will need to be re-entered into the big list of names for the subject alternate name.  This is just a certificate quirk.
0
 
Dan CarpIT DirectorAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now