Exchange 2010, Mobile Phones, and SSL

Posted on 2010-08-23
Last Modified: 2012-05-10
I recently migrated a Windows 2003 (w Exchange 2003) server to Windows 2008 (w Exchange 2010) server. The mailboxes migrated fine but I think I inadvertently broke the SSL hierarchy. I'm pretty good at exchange but not very good at SSL.

When I log into the OWA via firefox I get this:
"Certificate belongs to a different site, which could indicate identity theft". I accept the certificate anyways and I get OWA successfully.

When I use a blackberry to set up the phone for email I get this error code:

When I set up an iphone to the exchange I get:
"Unable to verify Certificate from for account could not be verified." - I click "accept"
Then it tells me "exchange account verification failed". If I click next to finish, it asks me for my password over and over.

Here is what I've done to troubleshoot: (I left out the actual domain name)
1. Ran the Exchange remote Connectivity Analyzer:
ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
             Test Steps
             Attempting to resolve the host name in DNS.
       Host successfully resolved
             Additional Details
       IP(s) returned: 12.X.X.X
      Testing TCP Port 443 on host to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
             Test Steps
             The certificate name is being validated.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
      Additional Details
       Host name does not match any name found on the server certificate CN=admin-exch

2. I've googled the hell out of all the error message to come out even more confused.

Clearly I need some education here. My questions include:
1. how to set up a self-signed root certificate for the entire domain with matching host name?
2. How to get iphone and blackberry to work with exchange  2010?

Thank you in advanced.
Question by:bcarmi
  • 4
  • 4
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33506066
Good luck on the blackberry. We have not been able to get any Blackberry's to work with Exchange 2010.

As for the certificates, the error is saying that the certificate was issues for a server/url named  but the server name is

Open Exchange management console.
Click on Server configuration.
Click on the server.
In the bottom window it will list your certificates.
Look for the one that has IIS listed under services
Under the Subject collumn it will list the url. IS that the URL being used by your clients/

Author Comment

ID: 33506508
Thank you for the swift reply.

The cert that has IIS is called "Microsoft Exchange". It's a sefl-signed certificate valid for IMAP, POP, IIS, and SMTP. Under the subject column it just says "CN=exch-name".
Shouldn't it be How would I change that?

Could I create a new certificate for *
When I click on "new exchange certification" and go through the wizard, it asks me for a file with extension "req"... how do I generate that request? I've seen some tutorials req files on IIS7, but will it work with Exchange 2010?

Thank you,
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33510331
Do you have an internal CA setup?
If not you will need to do that if you really want a self signed. I personally would purchase a certificate from Thwart, or GoDaddy, etc..  Especially if you want the certificate to be recognized by phones.
But ifyou really want to use a self signed here is an article that will talk you through the steps of setting up the CA and creating the certificate.
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Author Comment

ID: 33513214
I'm on Windows 2008.
Ok so I have IIS 7.5 running and exchange 2010. I Installed the root certificate authority service on the server and Cert Authority Web Enrollment.

How do I create, from start to finish, a root certificate from my exchange server ( and issue it to (different DNS, same physical server).

Thank you,
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33513625
Not at my computer so doing this from memory.

1. Run the Exchange New Certificate Wizard to create your Certificate Reguest. CSR file.
2. Open a browser and go to http://CAServername/certsrv
3. Choose request certificate
4. Choose advanced certificate request.
5. Choose submit certificate request.......
6. Open the CSR file in notepad and copy the text (All of it) and past it into the browser window in the Saved Request box.
7. Change type from Administrator to IIS.
8. Download the new certificate.
9. Run the complete Certificate wizzard in exchange and select the downloaded certificate.

Now keep in mind that other PCs outside of your domain, and cell phones will not have the trusted root certificate of your CA server. So they will still get certificate warnings unless they install the root certificate from your CA server.

Author Comment

ID: 33560355
Sorry it took me a while to get back to you.
I've completed all the steps and I have completed the certificate request and I see it in the exchange console...thank you.

However, when I try to connect an iphone to the exchange server, it asks me if I accept the unknown certificate from the server and I say "yes". After that I get a message saying "unable to verify account information". It then repeatedly asks for the password. When I try to get the mail the iphone says "the connection to the server failed."

On the exchange server there is no evidence of a connection either.

Any suggestions would be very appreciated.
Thank you,

Author Comment

ID: 33560701
An update...
I downloaded the ActiveSync Tester for the iphone and got the following:

Checking connection....ok
Checking certificate .... fail
checking application ... ok
checking version ... fail

activesync is not available...major code: 0xffffffff minor code 0x0

The certificate may not be a's just a self-signed cert.
any suggestions as to where to go from here?
LVL 12

Accepted Solution

Gary Dewrell earned 500 total points
ID: 33598515
create a test account on your exchange server
go here:
click on  Exchange Activesync,
click next
fill out the form using the test account information.

What result do you get?

(dissable the test account when done)

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question