activesync & OWA failing SSL error even though got ssl from digicert using Forefton TMG ex 2010

hi all,

i cant get activesnyc nor OWA working as i get a certificate error

the OWA lets me log in then get page cant be displayed "the certificate chain was issued by an authority that is not tusted (-2146892019)

for my ssl certificate i have
mail.mydomain.org
autodiscover.mydomain.org
CH-EX.internaldomain.local
CH-EX

i created the certificate request in exchange, completed it then imported it on exchange
i then exported it through exchange mmc cert snap in and imported it onto the TMG server

i also downloaded all my intermediate and root certs and added them via certificates mmc still nothing

cany anyone help me find out whats gone wrong here?
thanks
Testing Exchange ActiveSync
 	Exchange ActiveSync test Failed
 	
	Test Steps
 	
	Attempting to resolve the host name mail.mydomain.org in DNS.
 	Host successfully resolved
 	
	Additional Details
 	IP(s) returned: xxx.xxx.xxx.xxx
	Testing TCP Port 443 on host mail.domain.org to ensure it is listening and open.
 	The port was opened successfully.
	Testing SSL Certificate for validity.
 	The SSL Certificate failed one or more certificate validation checks.
 	
	Test Steps
 	
	Validating certificate name
 	Successfully validated the certificate name
 	
	Additional Details
 	Found hostname mail.mydomain.org in Certificate Subject Common name
	Validating certificate trust for Windows Mobile Devices
 	Certificate trust validation failed
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	The certificate chain did not end in a trusted root. Root = CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Open in new window

LVL 1
awilderbeastAsked:
Who is Participating?
 
AkhaterConnect With a Mentor Commented:
the intermediate Certificates looks like they are in the personal certificate store, they should be in the intermediate ca store
0
 
AkhaterConnect With a Mentor Commented:
what kind of certificate is it? A thrid party one?

When you go to mmc certificates / computer/local store and check the certificate you have imported does it have a private key?

If you go to the last tab can u go back to the root certifictae?
0
 
AkhaterConnect With a Mentor Commented:
i just noticed u specified digicert certificate. are you sure you imported it in the computer certificate store? not the user?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
awilderbeastAuthor Commented:
3rd party cert from digicert

the digi cert certificates dont have private keys mydomain.org key has private keys on both the exchange and the TMG

i have installed them on the local computer yes not the user

I went to exchange opend mmc and exported the certificate including all certificates in the path
then i imported and now on the TMG server see screen 1 then screen 2 says i dont have the private keys for the digicert stuff, do i need them, is that why its untrusted?

cert1.PNG
cert2.PNG
0
 
awilderbeastAuthor Commented:
ok i looked on the exchange server and looked at where all the certs where, i then did a export of my cert with .pfx included private keys and extended properties and included all certs with it

then imported it on the firewall and let wizard choose where to place the certificates
i then compared the exchange mmc to the tmg mmc and there was still some differences, on the tmg there wasnt a certificate in the third party trusted root and there was only 1 cert in the intermidiate as opposed to 2 on the exchange

so i exported them and imported them into the tmg went to https://mydomain.org/owa the login page appears saying its secure but when i put in credentials and log in i get

page cannot be displayed
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)

what else could i have done wrong?

Thanks
0
 
awilderbeastAuthor Commented:
i got in touch with my ssl provider... all i had to do was reboot the machines! haha
0
 
awilderbeastAuthor Commented:
i also had to get the certs in the right place which i did beforehand

your comment of moving them to the int store helped
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.