Solved

Reenable Self-Signed Certificate for Exchange 2007

Posted on 2009-04-15
4
582 Views
Last Modified: 2013-11-16
I'm setting up an Exchange 2007 server.  I generated a 3rd party certificate and successfully imported it with the Exchange Management Shell.  Then I made (I believe) the mistake of enabling it not only for IIS but also for SMTP.  Now OWA works perfectly but when I try to connect a test user within the domain via Outlook, I get an error saying "The name on the security certificate is invalid or does not match the name of the site."  I understand the error because I didn't include the internal name of the server on the 3rd party certificate.

What I'd like to do, I believe, is use the self-signed certificate (which is still listed in EMS) for the SMTP (Outlook) and the 3rd party certificate (UCC) for IIS (OWA, Activesync).  I've tried using the {Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services "SMTP"} command to assign the SMTP back to the self-signed certificate.  I've even removed the 3rd party certificate using the Remove-ExchangeCertificate cmdlet, but no matter what I do, Outlook clients still are seeing the 3rd party certificate when they connect to Exchange.

Can I get the self-signed certificate back associated with SMTP or must I regenerate the 3rd party certificate?  If the self-signed cert will work, is there a trick to getting it back associated with SMTP that I'm missing?
0
Comment
Question by:pcamis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24150315
As long as the name is valid on the UC cert, that would be best.  If you made a mistake and did not include the hostname in addition to the rest, or did not include the subject name in the SAN list as well, then you may run into issues.  If you recently got the cert, you should be able to conact the cert vendor and have them issue you a new UC cert with the complete set of names that you need.  You can use the UC cert for SMTP, POP3, OWA, etc.
0
 

Author Comment

by:pcamis
ID: 24150342
Thanks paranormastic... so just to confirm, you suggest that the right way to setup the UCC would be:

server.InternalDomain.com (this is the one I had omitted)
owa.ExternalDomain.com
pop.ExternalDomain.com

etc.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24150472
usually
server   (hostname of server)
server.internaldomain.com
owa.externaldomain.comm
autodiscover.externaldomain.com

If you need

pop.external.com
smtp.external.co
then do that - many places alias these to just 'mail.externaldomain.com'

Remember that whichever name is in the CSR as the subject name will need to be re-entered into the big list of names for the subject alternate name.  This is just a certificate quirk.
0
 

Author Closing Comment

by:pcamis
ID: 31570538
Thanks!
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Find out what you should include to make the best professional email signature for your organization.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question