?
Solved

SSL Certificate error - Exchange 2010

Posted on 2010-09-08
13
Medium Priority
?
587 Views
Last Modified: 2012-06-27
After our initial migration from 2003 to 2010 everything had been running swimmingly.  The Exchange 2010 server automatically made a default SSL certificate that it was using for everything but for obvious reasons external access to OWA didn't count as secure.

I purchased the appropriate SSL certificate for our OWA server and applied it via the Exchange 2010 management console.  Unfortunately during that process it decided that it would also apply itself to SMTP in addition to the OWA required services.  So *now* when an internal user opens Outlook they are immediately prompted that the SSL certificate is showing the incorrect name (twice).  You can accept it each time and move on, but I need to get back to the point where the internal certificate is assumed valid for SMTP and the purchased one is still used for external connections (which are working atm).
0
Comment
Question by:Loendar
  • 7
  • 6
13 Comments
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33629434
few things to start with

1. Certificate shows correct status on EMC
2. Services assigned correctly to Certificate
3. check certificate by  get-certificate

also check this link if it helps

http://technet.microsoft.com/en-us/library/aa995942.aspx

0
 

Author Comment

by:Loendar
ID: 33629471
I've done those things and they show accurately.  In fact, I exported the purchased OWA certificate and removed it, issued the New-ExchangeCertificate command since the internal certificate that was there originally didn't work and restarted both the 2003 and 2010 servers (seems they don't like to talk over SMTP after these are changed without a restart).

At that point the Outlook clients were happy again presumably using the new SSL cert.  As soon as I re-imported the OWA one (even though SMTP wasn't checked) it was back to square one only now I had TWO self-signed certificates.  It really is pretty odd.
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33629547
Did you included Internal host name in certificate ?

& does it give any error when accessing from OWA?
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 

Author Comment

by:Loendar
ID: 33629704
OWA is working flawlessly with the external certificate in place.

The issue is that the internal signed one previously was the server name and it was happy with that... now it is trying to use the certificate for the external name which doesn't match.  Really I just need to figure out how to get it to stop using the SSL certificate for SMTP.
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33629829
You can remove service association by going to Server configuration >exchange certificates>select self signed certificate & assign services to certificate
0
 

Author Comment

by:Loendar
ID: 33629885
I shall give that a shot - thanks!
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33629898
Once you assign services to self signed you will be able to remove it from other certificate.
0
 

Author Comment

by:Loendar
ID: 33629908
You are correct - it did allow me to remove the old one but sadly didn't stop the error message from happening when starting Outlook.

Really I would prefer to have SMTP not validated at all internally but it seems they force it.
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33629983
If you have included your internal host name(FQDN -like mailserver.windowsdns.internal) in certificate it should not ask for certificate prompt.

like your certificate should include as example

mail.externalhost.com
mail.internalhost.com
mailserverhostname(FQDN)

that will prevent error from coming.

0
 

Author Comment

by:Loendar
ID: 33630418
Sadly - I did not.  It was only meant to apply to external names and I didn't think that it would try to apply itself internally as well.  In fact, since it was meant just for OWA and OMA it never occurred to me that it would set itself up on the SMTP port.
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33631041
When you run outlook internally it will try to look for the FQDN host name entry in certificate. if it did not find then it will give certificate error as you are receiving.

0
 

Author Comment

by:Loendar
ID: 33647492
Well - i have tried to get the certificate reissued to include the FQDN used for our internal email server in the hopes that it would stop the error message.  Sadly, since we don't own the public version of the domain name they seem unlikely to provide it and I'm back to square one.

Outlook is looking at the external SSL certificate and refusing to acknowledge the internal one for SMTP.
0
 

Accepted Solution

by:
Loendar earned 0 total points
ID: 33824608
This took a bit of work from Microsoft but we managed to pin it down.
0

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am posting this in case anyone runs into similar issues that I did, this may save you a lot of grief: Condition: 1. Your NetBIOS domain name contains an ampersand " & " character.  (e.g. AT&T) 2. You've tried to run any Microsoft installation…
As a Microsoft Exchange user, you must have known the importance of an Offline storage table (OST) file. It is nothing new for an Outlook user to be dependent on a .ost file during a server break down or a problematic Internet connection. In such a…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question