Solved

How do I obtain and install a security certificate for an Outlook Web Access login page?

Posted on 2009-05-11
6
674 Views
Last Modified: 2012-05-06
I am running Exchange Server 2003 on a server that is running Windows Server 2003.  We use Outlook Web Access quite frequently to check our e-mail when we are out of the office.  The first issue that I have is that to get to the OWA login page, I have to type https://ipaddress/exchange where ipadress is our static ip address from our ISP.  I would like to change that to be able to type https://owa.4grace.org or something to that effect.  Is this possible, and if so, could you provide dummy proof step by step instructions on how to do so?  The second issue that I have is once I type in https://ipaddress/exchange, it takes me to a screen that says:

 There is a problem with this website's security certificate.
 
 The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help.


My question for this issue is how do I correct this problem?  Do I need to purchase a security certificate?  If so, where do I go to purchase that and how do I install it?  One thing to keep in mind, we will be connecting our Palm Treo 755p's to this Exchange Server using Versa Mail so the security certificate will also have to work with that.  

Any help on these issues would be greatly appreciated.  Thank you so much for your time and I look forward to hearing back from you.
 

There is a problem with this website's security certificate. 

 

   

 The security certificate presented by this website was issued for a different website's address.
 

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  

  We recommend that you close this webpage and do not continue to this website.  

  Click here to close this webpage.  

  Continue to this website (not recommended).  

     More information 
 
 

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting. 

When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com. 

If you choose to ignore this error and continue, do not enter private information into the website. 
 

For more information, see "Certificate Errors" in Internet Explorer Help.

Open in new window

0
Comment
Question by:gccITteam
  • 3
6 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24356919
To access OWA from the Internet using an FQDN such as "http://webmail.yourdomain.com" you need to have a host record added by your DNS hosting service.  

For the certificate, you can purchase one from Thawte, Verisign, GoDaddy, or any number of other places.  If you don't purchase one, you have to generate one and hand it out to everyone who's going to connect to your server otherwise they won't be secure.  

How to generate a cert request:  http://support.microsoft.com/kb/228821

You definitely want to use a certificate and SSL, otherwise everything is free and clear on the Internet.



0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24357330
"Dummy-proof steps"

Each hosting company has somewhat different procedures.  If you do not know how to get DNS records added, you should call the company that hosts your DNS (most likely your web hosting service) and let them know that you need to add a host record.  They will either take the information or point you to a control pannel.  What you are giong to add is the host "owa" (or whatever you choose to call it) with the static IP address of your server.

When you change from using the static IP address to using a friendly name, you will probably need to generate a new certificate.

The certificate warning you are getting is not an error or a problem.  It just means that Microsoft is stupid (sorry, but I don't usually hold back on the way I feel about stupid programmers).  What the message is telling you is that your server uses a "self signed" certificate.  There is NOTHING WRONG with a self-signed certificate, but Microsoft seems to think that putting up a severe warning that only technical people understand is a good idea.  Geat a clue, eh?  There are really only 2 differences between a purchased certificate and a self-signed certificate.  When you purchase a certificate, the CA (Certificate Authority) is supposed to verify that you really are who you say you are.  For financial transactions and such this is a great thing!  Not that it means a whole heck of a lot given that only a fairly technical person knows enough to check the certificate and see who it was issued to.  When you "self sign" a certificate it means no third party has verified that "yes indeed, you really are John Doe".  The second difference is obvious -- you have to pay for a certificate from a third party issuer....and you have to keep paying for it every time the certificate expires.

For internal use, a self-signed certificate is just fine.  Your system already has this type of certificate, which means you probably have the CA set up somewhere on your network to generate self-signed certificates.  All you need to do is educate your users that the stupid Microsoft message does not mean anything -- and they should continue to the sight.  You might even want to provide instructions for them to install the certificate onto their computer to prevent the stupid message from coming up on their PC in the future.

If your users cannot be educated, purchase a certificate and you will not receive the warning about a self-signed certificate.  Thank's to Microsoft, companies needlessly purchase security certificates every day for web sites.  Not because the purchased certificates are better security, but because they don't want people to get scared away by the stupid message.

Any certificate (self signed or purchased) should work fine with the Palm Treo.  I usually implement self-signed certificates for e-mail security, but have also purchased from THWATE when politics demanded wasting money.


The certificate itself will need to be installed in the IIS admin console.  If you are running SBS2003, you can use one of the wizards to both generate the certificate and install it.  If you are not running SBS, go into IIS management from Administrative Tools to put the new security certificate in place.


Now, given that you are a church I am going to step back and tell you that you may want to consider running without SSL (gasp!).  I am not saying you should do this, but that you should consider it.  Going straight HTML takes away the added security of encryption, but it also takes away the administrative setup.  As a church, you may have absolutly no proprietary or confidential information to protect in your e-mail system.  If a username or password is compromised, there may be no data to steal.  And most of your e-mail is floating around the Inernet free-text to begin with (unlike corporations where much of the e-mail is internal only).  Hey, we lock the door to protect things.  If there is nothing to protect why spend a bunch of time / effort / money on the lock?
0
 

Author Comment

by:gccITteam
ID: 24369155
I definitely want to keep running with SSL.  I am running Server 2003, not SBS2003.  With that being said, how do I go about creating, signing, and installing my own security certificate?  Secondly, how can I obtain this certificate to install on other computers and my palm treo's?  If you could provide step by step instructions, that would be absolutely marvelous.  Thank you so much for your help.  This site has been a life-saver.
0
 
LVL 14

Accepted Solution

by:
mds-cos earned 500 total points
ID: 24460381
Sorry for the delay -- work very hectic...

1)  I expect you have Microsoft Certificate Services set up on one of your systems.  If not, you can configure this and generate your certificate.  http://technet.microsoft.com/en-us/library/bb727098.aspx

2)  I have only had to install a certificate on one phone -- a MotoQ from Verizon.  Other smart-phones I've worked with have not had any problems with the self-signed certificate.  If you do need to install the certificate, it is going to be phone and possibly even vendor specific (the MotoQ I mentioned was a Verizon specific procedure).  You can get the CA certificate itself from your Certificate Server.  Or if you purchase a certificate you can download the CA certificate from the provider.

3)  For servers, install the certificate right from Internet Explorer.  Follow the View Certificate button on the security warning page, then you will have the opportunity to install the certificate.


Sorry if this is short.  I am in the middle of rebuilding a server.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 24460388
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now