dioricit
asked on
Exchange 2007 SSL Certificate Installed Now Get Security Alert from Outlook
Today I purchased and installed an SSL certificate for my Exchange 2007 Server. I had the certificate issued for mail2.myorg.com. Now OWA works like a champ, no certificate warning issues. The two services I enabled through the powershell for this certifcate were SMTP and IIS. Unfortunately, now every client using outlook inside my organization is getting a security alert indicating the security certificate is from a trusted certifying authority, the security certificate is valid, however the name on the security certificate is invalid or does not match the name of hte site. I know it is because internally, my mail server is mail2.myorg.domain.com, but I do not know what i need to do to resolve the issue. Any help would be greatly appreciated.
ASKER
The certificate was a regular SSL Certificate from GoDaddy. We are nonprofit and the certificate for 3 years was only $40 after a coupon code. I do not see on their site a SAN/UC option. So assuming I have bought a single name certificate, what can I do?
GoDaddy call them multiple name certificates and they are $60/year or something like that.
While I appreciate that you are non-profit, it still needs to be done correctly. If your external DNS provider does not support SRV records then you will be unable to use Outlook Anywhere for example.
The KB article linked to above resolves the problem internally, however what it does not deal with is the problem of autodiscover failing to work externally. If autodiscover doesn't work then you have no availability service, which means no free/busy and unable to configure Out of the Office.
Simon.
While I appreciate that you are non-profit, it still needs to be done correctly. If your external DNS provider does not support SRV records then you will be unable to use Outlook Anywhere for example.
The KB article linked to above resolves the problem internally, however what it does not deal with is the problem of autodiscover failing to work externally. If autodiscover doesn't work then you have no availability service, which means no free/busy and unable to configure Out of the Office.
Simon.
My exchange 2010 runs off a Turbo SSL from Godaddy bought 2 years ago for 30 bucks, works flawlessly.
ASKER
Mestha,
Thank you for that info. $60/year is not nearly as bad as the $400/year at other locations. I will go that route.
Thank you for that info. $60/year is not nearly as bad as the $400/year at other locations. I will go that route.
ASKER
Ok, called godaddy and they said i needed the unlimited subdomain ssl certificate. Purchased it, generated my csr using the following command:
New-ExchangeCertificate -GenerateRequest -Path c:\mail2_company_org.txt -KeySize 2048 -SubjectName "c=US, s=Virginia, l=Richmond, o=company inc, ou=Information Technology, cn=mail2.company.org" -DomainName mail2.local.domain.company
Did the import back in using powershell, enabled smtp and iis and still running into the same issue. Any ideas?
New-ExchangeCertificate -GenerateRequest -Path c:\mail2_company_org.txt -KeySize 2048 -SubjectName "c=US, s=Virginia, l=Richmond, o=company inc, ou=Information Technology, cn=mail2.company.org" -DomainName mail2.local.domain.company
Did the import back in using powershell, enabled smtp and iis and still running into the same issue. Any ideas?
You have to change the internal urls for exchange from mail.local.domain.company.
As specified EXACTLY in the answer i gave you earlier, you did not have to switch certificates
As specified EXACTLY in the answer i gave you earlier, you did not have to switch certificates
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
we will have to agree to disagree, ive set up multiple client exchange servers this way, autodiscover, activesync, owa all works with a simple turbo-ssl from providers such as godaddy.
This is done by simply have a domain subdomains used point to the exchange server.
Ie. for most of my customers mail.domain.com works, they use this for mail (mx record) and owa (https://mail.domain.com/owa)
You then add autodiscover.domain.com and point it at the exchange server as well, and it works. The autodiscover.domain.com is not required to be in the certificate, it will use the CN (common name) which is usually domain.com
it does not require srv records at all. and for it to work internally, you can point your internal dns to the same names, just with the internal IP address.
It is however no skin off my nose if you disagree :-)
This is done by simply have a domain subdomains used point to the exchange server.
Ie. for most of my customers mail.domain.com works, they use this for mail (mx record) and owa (https://mail.domain.com/owa)
You then add autodiscover.domain.com and point it at the exchange server as well, and it works. The autodiscover.domain.com is not required to be in the certificate, it will use the CN (common name) which is usually domain.com
it does not require srv records at all. and for it to work internally, you can point your internal dns to the same names, just with the internal IP address.
It is however no skin off my nose if you disagree :-)
ASKER
You were dead on. Godaddy talked me out of the correct certificate for the wild card one. Took a couple of phone calls to get it straight, but I have purchased the right certificate now, issued it, installed it, and my issues are gone. Thanks again for everyone's help.
If it was a regular certificate, that is your problem. You need a SAN/UC certificate with the multiple names on it.
http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
It is possible to use a single name certificate, but if you want to use Outlook Anywhere your external DNS provider must support SRV records - most do not.
Simon.