?
Solved

Exchange2007 certificates issue: "The name of the security certificate is invalid or does not match the name of the site"

Posted on 2010-09-16
14
Medium Priority
?
727 Views
Last Modified: 2012-05-10
Hi All,

Please have a look to the attached Image. The problem is  "The name of the security certificate is invalid or does not match the name of the site".

I have an exchange server 2007 (sp1) with the FQDN.  newserver.mycompany.local
DNS entry for newserver in mycompany.local fwd zone
A (record) ----- newserver.mycompany.local ----- 192.168.1.100
I have another A record entry in mycompany.com fwd zone
A (record) ------ mail1.mycompany.com ------- 192.168.1.100

I am facing this issue for last one week. I have followed the steps but no luck. So far what I can understand the issue is certificates are newserver but they are being recognized with mail1.mycompany.com but may be i am wrong or doing any minor mistake.

http://support.microsoft.com/kb/940726/en-us

Can any body help me ? Please mention if you need any outputs from me.
thanks,

 Outlook Error
0
Comment
Question by:sysbase
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 6

Expert Comment

by:collins23
ID: 33691452
what certificate do you have configured in exchange ?
0
 
LVL 6

Expert Comment

by:collins23
ID: 33691506
using the following procedure to change the exchange certificate to mail1.mycompany.com


http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
0
 

Author Comment

by:sysbase
ID: 33691586
I am using selfsigned by default created certificated when we install exchange 2007.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sysbase
ID: 33691654
certificates*.....

On client side when we view the certificates it say certificate status is ok.

Details:
CN = newserver
DNS Name=newserver
DNS Name=newserver.mycompany.local
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Key usage: Digital Signature, Key Encipherment (a0)
Basic Constraints: Subject Type=End Entity; Path Length Constraint=None
Thumbprint algorithm: sha1


anything i can provide more to solve this issue?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 33691713
Is this certificate being installed on the Exchange Server? If yes, then don't use the FQDN.
The certificate must match the name of the host where it resides.
0
 
LVL 17

Expert Comment

by:Ivan
ID: 33691735
Hi,

it seams that problem is with "Subject Alternative Name" field in certificates.
When creating certificate request have you used -DomainName part of command?
You can use it to specify more names for certificate such as...

New-ExchangeCertificate -DomainName newserver, newserver.mycompany.local, mail1, mycompany.local -Services SMTP or something like that

There is usefull link at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx 
0
 

Author Comment

by:sysbase
ID: 33692087
Here is some more output if tht helps

[PS] C:\>Get-ExchangeCertificate  | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {newserver, newserver.mycompany.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=newserver
NotAfter           : 31/08/2011 11:48:47
NotBefore          : 31/08/2010 11:48:47
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 968586B5E0E0D48841B8537839961079
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=newserver
Thumbprint         : 094ED70F1DB5DBA9957991A4AD8E357351213078


I think this is the problem ...  issuer is newserver and the certificates are installed with mail1.mycompany.com ...


what else I can look?
0
 

Author Comment

by:sysbase
ID: 33692161
agreed with spriggan13 it will be ok if we have
CertificateDomains : {mail1, mail.mycompany.com, newserver, newserver.mycompany.local}
rather than
CertificateDomains : {newserver, newserver.mycompany.local}

how can we work on it ?
0
 

Author Comment

by:sysbase
ID: 33692681
Would this be good approach to remvoe the existing certificates and then create and install new certificates?
any secure way to do that?
0
 
LVL 17

Accepted Solution

by:
Ivan earned 2000 total points
ID: 33695999
Hi

I dont think there is any need for removing cert first, before creating new one.
If you generate a new and assigne it for services you need, than it should simple override curent cert and it will work.

First generate new cert (something like this + key lenght, subject name, export private key)

New-ExchangeCertificate -DomainName newserver, newserver.mycompany.local, mycompany.local,  mail1.mycompany.com, autodiscover.mycompany.local  -Services IMAP, POP, IIS, SMTP

Then enable new cert for services:

Enable-ExchangeCertificate (you will need thumbprint of new cert for this, wich you can get with Get-ExchangeCertificate  | fl command)

At the end you can remove old cert with Remove-ExchangeCertificate followed with thumbprint of old cert (094ED70F1DB5DBA9957991A4AD8E357351213078)
0
 

Author Comment

by:sysbase
ID: 33699803
Hi spriqqan13,

Would you recommend to follow this URL
http://community.spiceworks.com/how_to/show/969

Waiting for a quick response.

Many thanks.

0
 
LVL 6

Expert Comment

by:collins23
ID: 33699886
Yes, that procedure should work for you.
0
 
LVL 17

Expert Comment

by:Ivan
ID: 33701146
Hi,

that link is ok.
 Basically you just need to generate cert the same way you did first time, but with that additional command " -DomainName newserver, newserver.mycompany.local, mycompany.local,  mail1.mycompany.com, autodiscover.mycompany.local " that will include all alternative names.

0
 
LVL 17

Expert Comment

by:Ivan
ID: 33701399
If im not wrong this should be it.

New-ExchangeCertificate -KeySize 2048
-SubjectName "CN=newserver.mycompany.local, DC=mycompany, DC=local"
-DomainName newserver, newserver.mycompany.local, mycompany.local,  mail1.mycompany.com, autodiscover.mycompany.local
-PrivateKeyExportable $True


Enable-ExchangeCertificate "thumbprint" -services IIS, SMTP, POP, IMAP

Remove-ExchangeCertificate 094ED70F1DB5DBA9957991A4AD8E357351213078
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
This article describes how to import Lotus Notes Contacts into Outlook 2016, 2013, 2010 and 2007 etc. with a few manual steps. You can easily export and migrate Lotus Notes contacts into Microsoft Outlook without having to use any third party tools.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question