Exchange 2010, Mobile Phones, and SSL

I recently migrated a Windows 2003 (w Exchange 2003) server to Windows 2008 (w Exchange 2010) server. The mailboxes migrated fine but I think I inadvertently broke the SSL hierarchy. I'm pretty good at exchange but not very good at SSL.

When I log into the OWA via firefox I get this:
"Certificate belongs to a different site, which could indicate identity theft". I accept the certificate anyways and I get OWA successfully.

When I use a blackberry to set up the phone for email I get this error code:

When I set up an iphone to the exchange I get:
"Unable to verify Certificate from for account could not be verified." - I click "accept"
Then it tells me "exchange account verification failed". If I click next to finish, it asks me for my password over and over.

Here is what I've done to troubleshoot: (I left out the actual domain name)
1. Ran the Exchange remote Connectivity Analyzer:
ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
             Test Steps
             Attempting to resolve the host name in DNS.
       Host successfully resolved
             Additional Details
       IP(s) returned: 12.X.X.X
      Testing TCP Port 443 on host to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
             Test Steps
             The certificate name is being validated.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
      Additional Details
       Host name does not match any name found on the server certificate CN=admin-exch

2. I've googled the hell out of all the error message to come out even more confused.

Clearly I need some education here. My questions include:
1. how to set up a self-signed root certificate for the entire domain with matching host name?
2. How to get iphone and blackberry to work with exchange  2010?

Thank you in advanced.
Who is Participating?
Gary DewrellConnect With a Mentor Senior Network AdministratorCommented:
create a test account on your exchange server
go here:
click on  Exchange Activesync,
click next
fill out the form using the test account information.

What result do you get?

(dissable the test account when done)
Gary DewrellSenior Network AdministratorCommented:
Good luck on the blackberry. We have not been able to get any Blackberry's to work with Exchange 2010.

As for the certificates, the error is saying that the certificate was issues for a server/url named  but the server name is

Open Exchange management console.
Click on Server configuration.
Click on the server.
In the bottom window it will list your certificates.
Look for the one that has IIS listed under services
Under the Subject collumn it will list the url. IS that the URL being used by your clients/
bcarmiAuthor Commented:
Thank you for the swift reply.

The cert that has IIS is called "Microsoft Exchange". It's a sefl-signed certificate valid for IMAP, POP, IIS, and SMTP. Under the subject column it just says "CN=exch-name".
Shouldn't it be How would I change that?

Could I create a new certificate for *
When I click on "new exchange certification" and go through the wizard, it asks me for a file with extension "req"... how do I generate that request? I've seen some tutorials req files on IIS7, but will it work with Exchange 2010?

Thank you,
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

Gary DewrellSenior Network AdministratorCommented:
Do you have an internal CA setup?
If not you will need to do that if you really want a self signed. I personally would purchase a certificate from Thwart, or GoDaddy, etc..  Especially if you want the certificate to be recognized by phones.
But ifyou really want to use a self signed here is an article that will talk you through the steps of setting up the CA and creating the certificate.
bcarmiAuthor Commented:
I'm on Windows 2008.
Ok so I have IIS 7.5 running and exchange 2010. I Installed the root certificate authority service on the server and Cert Authority Web Enrollment.

How do I create, from start to finish, a root certificate from my exchange server ( and issue it to (different DNS, same physical server).

Thank you,
Gary DewrellSenior Network AdministratorCommented:
Not at my computer so doing this from memory.

1. Run the Exchange New Certificate Wizard to create your Certificate Reguest. CSR file.
2. Open a browser and go to http://CAServername/certsrv
3. Choose request certificate
4. Choose advanced certificate request.
5. Choose submit certificate request.......
6. Open the CSR file in notepad and copy the text (All of it) and past it into the browser window in the Saved Request box.
7. Change type from Administrator to IIS.
8. Download the new certificate.
9. Run the complete Certificate wizzard in exchange and select the downloaded certificate.

Now keep in mind that other PCs outside of your domain, and cell phones will not have the trusted root certificate of your CA server. So they will still get certificate warnings unless they install the root certificate from your CA server.
bcarmiAuthor Commented:
Sorry it took me a while to get back to you.
I've completed all the steps and I have completed the certificate request and I see it in the exchange console...thank you.

However, when I try to connect an iphone to the exchange server, it asks me if I accept the unknown certificate from the server and I say "yes". After that I get a message saying "unable to verify account information". It then repeatedly asks for the password. When I try to get the mail the iphone says "the connection to the server failed."

On the exchange server there is no evidence of a connection either.

Any suggestions would be very appreciated.
Thank you,
bcarmiAuthor Commented:
An update...
I downloaded the ActiveSync Tester for the iphone and got the following:

Checking connection....ok
Checking certificate .... fail
checking application ... ok
checking version ... fail

activesync is not available...major code: 0xffffffff minor code 0x0

The certificate may not be a's just a self-signed cert.
any suggestions as to where to go from here?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.