We help IT Professionals succeed at work.

Self signed SSL certificate for Outlook Anywhere & OWA - Exchange 2010

I have just migrated our test environment from Server 2003/ Exchange 2003 to Server 2008R2/  Exchange 2010.
As it is only a test environment, I do not want to have to buy a public certificate for Outlook Anywhere (& OWA). To this end, I setup a CA server and created what I believe is called a self-signed certificate. I did this from within Exchange 2010 as follows: EMC > Server configuration > Exchange Certificates > New Exchange Certificate then used ...certsrv to request and download the certificate and then completed the pending request in EMC.
Finally I assigned it the IIS service so that it can be used for Outlook Anywhere & OWA.

I proceeded to install the certificate on several external PCs (IE7 & IE8) but when I access our OWA web address (https://mail.jp2.co.uk/owa) I still get the: "There is a problem with this website's security certificate..." error.
When I "Continue to this website (not recommended). " and have a look at the untrusted certificate, it contains all the information of my newly created certificate, so the "Issued to" & "Issued by" information matches my certificate.
I can confirm that the certificates were actually installed by checking in MMC > Ceritificates > Trusted Root Certificates Authorities.

I noticed that the certificate is for "Server Authentication" rather than "Secure E-mail"- does this matter? Also, the Certificate information in EMC says: Self-signed- False.

I'd be very grateful for two answers:
1. Why is it that when an untrusted certificate from a website is imported, the: "There is a problem with this website's security certificate..." error remains? Is there a way for a client to import this untrusted certificate straight from the website to make the website trusted?
What is the difference between the certificate I created and the "untrusted" certificate found when connecting to OWA?

2. How can I get the certificate to work? The certificate I created for Exchange 2003 OWA always worked well i.e. you install it on a client PC and the website becomes trusted.

Please let me know if you require any further details- thanks!
Comment
Watch Question

Paul MacDonaldDirector, Information Systems

Commented:
1.  Unless your CA infrastructure is available publicly, there's no way for external clients to verify the validity of the certificate.
2.  Make your CA available publicly?
Distinguished Expert 2018

Commented:
The problem is that you did not create a "self-signed" certificate at all. Your certificate was generated by a real CA. As such, what you need to do is export the CA certificate (publc key only) and them import it into the "trusted root certificates" on each machine you are doing your testing. That way not only is your certificate trusted, but so is its certificate chain.
I think you are installing the wrong certificate on your clients: you should install the "CA certificate" on your clients to trust the "Server certificate" that you created and that should be used to run the SSL service (in yor case, OWA).

SteveArchitect/Designer

Commented:
SSL certificates serve 2 main purposes:
a) Identifiying the website you have connected to.
b) Encrypting the traffic between you and the server.

A self certified certificate means the server using the certificate authorised its own certificate, meaning no externally trusted source can confirm who/what/where/why this server exists and if it really is who you think it is.
>This is like going into a bank to withdraw money without ID and insisting it is your account with no way of proving it.

While this does absolutely nothing to identify the server you are connecting to (purpose a) it still allows you to encrypt traffic between you and the server (purpose b) and is often used as a low cost solution to get SSL encrypted traffic wihtout cost.

As you have created a CA server and got the certicficate from there, this is not a self certified certificate. This is a proper certificate. The problem is that no-one other than you knows about or trusts the CA that provided the certificate.
> this is like going into a bank to withdraw money without ID and having a friend (3rd party) stood next to you saying 'yes, it is his account.' If the 3rd party is trusted by the bank (someone they are happy to trust, like the bank manager) then this would be sufficient.
if they have no idea who the 3rd party is then they will tell you to get stuffed!

As no-one knows or trusts your CA, having this 3rd party confirming the identity of your exchage server is a bit useless.
If the PCs are yours you can manually import the certificate so it is trusted by the machines. if they are not yours you need to find another options.

Anyway, what error does the certificate message show when people connect?
it may just be a url mismatch if you're lucky.

If you want to save yourself a lot of time and frustration get a Unified Communications Certificate (UCC) from GoDaddy.  These certs are made for Exchange and they will even help you set it up over the phone.  I use to play around with all this self signed stuff and it's just not work the time and effort when compared the the ease of installing a UCC.  

Commented:
You need to use the website template, not the server template when you request the certificate from your cert server.

Author

Commented:
Thanks for your input.

Paulmacd: The certificate service is publically available through IIS. Our production environment (Server 2003/Exchange2003) works in exactly the same way. This is how you do it in Exchange 2003: http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html 

Cqaliher: You are right, in EMC it says “false” under “self-signed”. Can you please let me know the steps to create a self-signed certificate?

Filippo69: Please explain what you mean by “CA certificate”.

Totallytonto: Not sure about your answer; the CA is publically available through my DC’s IIS. As mentioned above, this is the same method that I have currently in use in my production environment.

Uescomp: There is no “website template” when I request the certificate from .../certsrv. The options are: user, Basic EFS, Administrator, EFS Recovery Agent, Web Server & Subordinate Certification Authority.
Shreedhar EtteTechnical Manager
Top Expert 2010

Commented:
Hi,

Refer this to create Self Signed certificate:
http://cid-a19e3265de255fbb.spaces.live.com/blog/cns!A19E3265DE255FBB!2775.entry

Hope this helps,
Shree
Gotta tell ya, if you got a UCC you would be done by now.
I mean "Certificate Authority root certificate".
You can download it from IE - localhost\certsvr and distribute it to you clients.

SteveArchitect/Designer
Commented:
@mark-199

Being publicly available is not the same as being known and trusted (The Daily Sport newspaper is 'publicly available' but I doubt many people would trust the stories printed in it.)
Just because your CA is available it doesnt mean that anyone on the internet knows about it or counts it as a trusted CA source.

If a bloke you doesnt know tells you you can trust him you probably wouldnt as you have no frame of reference. Thats what trusted, public CAs are for as they are already known and trusted by the public.

Two options:
a) create an SSL and install it on PCs as you hoped. This will work fine.
b) install the CA as a trusted CA onto the PCs. this will also work.

Author

Commented:
No

Author

Commented:
Sorry, my response somehow got deleted when I closed this question.

totallytonto & filipo69, both of you were right in that a CA certificate was needed as this will then allow the client to trust the OWA certificate from the Exchange server.
However, I was unable to create such a CA certificate through IE/certsrv. instead I had to open the OWA certificate, go to certification path, open the root CA certificate, which I was then able to export to my client. This created a CA certificate, which I can now distribute to my client PCs.

There must be an easier, server based way of doing this...

Thanks for all your input.
Mark, you should not create the CA certificate on IE - localhosts\certsrv, it is automatically created when You installed CA Server on Your Windows 2003.

In IE - localhosts\certserv, the third choise is  (or should be) "Download a CA certificate .." .
Mmmhh, just in case.

You can also download the cretificate DIRECTLY on you client, from IE - you should type http:\\name_of_your_2003_ca_server\certsrv ...

Author

Commented:
Hi Filippo

Thanks for that tip- it worked! It's actually Server 2008R2 but certsrv hasn't changed since Server 2003.

Would you or anyone else have a quick answer to a couple more questions?
1. Does it matter if I choose DER or BASE64 encoding? I guess I could just try both of them and see if it works...
2. What are the certificates you can create in Exchange 2010 for? (EMC > Server configuration > Exchange Certificates > New Exchange Certificate) are these needed for Outlook Anywhere i.e. mobile devices, RPC over http etc?

Thanks

Commented:
I would highly suggest going to godaddy and buying a cert. With a promo code you can get one for $13...
Is there any other way of going about it other than buying a cert from another company?

I guess that is the whole problem. If a person tells you to trust them and you have no other reference, is the person really trustworthy?