Replacing a self-signed certificate

someITGuy
someITGuy used Ask the Experts™
on
I get this message when I run Exchange 2007 SP3 BPA:

The SSL certificate for 'https://xxxxx.xxxx.xxx/EWS/Exchange.asmx' is self-signed. It does not provide any of the security guarantees provided by authority-signed or trusted certificates. It is strongly recommended that you install an authority-signed or trusted certificate.

I get the same error for the Autodiscover, Microsoft-Server-ActiveSync & Service certificates.

I do have a certificate from Verisign for OWA only, do I need I need a certificate for each of these 4 other self-signed certificates or can I use one certificate for all of them?

What is the proceedure for moving from a self-signed to a commercial certificate?

TIA
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
What server are you running? You can change the server certificate in IIS under the default website, then exchange.

How many users are using the services externally?(Activesync, HTTP over RPC, etc.) They'll reconnect to get the new certificate.

Author

Commented:
I am on Exchange 2007, about to migrate users from a Exchange 2003 environment. I have a fair amount of OWA users, the other services are lightly used at this point.

So do I need to get a cert for each of these 4 services or will one cert handle them all without certificate errors?
owa, autodiscover, activesync are all web services that share a web site and therefore share a certificate
you just need to run the get-exchangecertificate cmdlet to identify your verisign certificate
then you run the enable-exchangecertificate -thumbprint <verisign> -services iis,pop,imap
if you haven't installed the certificate on the 2007 server, you'll need to do htat first of course
While the error you post pops up its mainly a warning. You can use a self signed certificate but it's best to use an official one. The one you have for owa, does it say mail.yourdomain.com?

If so you should be okay to install it on the other services since the certificate will check to make sure the name the service is trying to access matches the server.

Author

Commented:
Actually my OWA cert says owa.mydomain.com

Do I need a cert with the actual server name or will smtp.mydomain.com or mail.mydomain.com suffice since both will point to the frontend server (via a reverse proxy)?
your reverse proxy needs to have the cert with the public dns name
your cas server must have a cert that matches the name the reverse proxy usess for internal connections

Author

Commented:
How about if I have 2 CAS servers, each one needs a unique certificate to handle SSL, correct?
no, typically you use the same certificate and use some type of load balancing to handle connections

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial