exchange 2007 self signed cert expired, replaced now getting securtiy popup.

a new certificate was generated and now users are getting security alerts saying "The name on the security cert is invalid or does not match the name of the site"

says the cert is not trusted. to enable trust, install the cert in the trusted root cert auth store.

can anyone help?
dirkdigsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cmorffewCommented:
had this issue with outlook 2007/exchange 2003, you have to make sure you issue the root certificate to the users and not the site certificate.

e.g.
certificate authority is called ca.domain.com
mail server is called mail.domain.com

certificate issued by ca.domain.com for mail.domain.com  however then ca.domain.com has the root certificate.

The root certificate is the certificate that authenticates the certificate authority.  without this the mail server certificate is invalid to a user as they have no way of determining if the certificate is genuine. - i had to install both the root certificate and the mail server certificate to solve my issues.

To install certificate:
1. logon to Certificate authority and export the root certificate

2. save the root certificate to the desktop for easier access

4. Go to your desktop and right mouse click on the .cer file and choose install certificate

5. Click next

6. Choose “Place all certificates in the following store”

7. Click browse

8. Choose “Trusted Root Certificate Authorities”

9. Click ok

10. You will now be back at the screen in step 6, except with our selections, click next

11.  Click Finish
0
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
I would switch to a 3rd party UC\SAN cert.

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.
 http://technet.microsoft.com/en-us/library/aa998327.aspx

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
http://technet.microsoft.com/en-us/library/bb124424.aspx


0
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
With Exchange 2007 when the namespace is different from the iis vdirs you will have this problem, here is the fix:

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/


0
Satya PathakLead Technical ConsultantCommented:
Suppose we want to create a UCC self-signed certificate. We will require the following names:

#NETBIOS name of Exchange: EX-2k7 (example)
#Internal FQDN: EX-2k7.abc.local (example)
#External FQDN (Public name): webmail.abc.com (example) (use nslookup/ping to verify the external FQDN)
#Autodiscover name: autodiscover.abc.com (example)
#SubjectName: cn=webmail.abc.com (example)

In EMS, run the following command to generate the new self-signed certificate:

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" -SubjectName "cn=webmail.abc.com" -DomainName EX-2k7,EX-k7.abc.local,webmail.abc.com,autodiscover.abc.com -PrivateKeyExportable $True

Next enable the certificate with Enable-ExchangeCertificate cmdlet. Enable atleast IIS and SMTP.

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxx -Services POP,IMAP,SMTP,IIS

Next verify certificate has been installed using EMS/IIS Manager or both. (Sometimes you may have to remove the certificate and then install/enable certificate again).

Some important points:

1. If you are creating a self-signed certificate, it is always better to create one that has all the subject alternative names specified above. This will prevent any certificate security warnings related to name mismatch. If you are creating single-name self-signed certificate, you would have to modify internal URIs of multiple virtual directories as explained in KB940726. The other benefit of multiple SANs is avoiding event 12014 and similar events.

2. Autodiscover for non-domain joined machines will work only after record is created in external DNS

3. You will have to install the certificate in the trusted root on client machines else you will receive a certificate warning. On Vista machines, you will have to run IE with elevated privileges to be able to install the certificate when you open OWA.

4. You can use group policy to install the certificate in trusted root (applicable only to domain joined machines). Copy to file the self-signed certificate (ideally in .p7b format) and then edit the default domain policy and import the certificate into "Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities". No user intervention is required once you do this. (Users would have to install the certificate themselves on non-domain joined machines).

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.