Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange2007 certificates issue: "The name of the security certificate is invalid or does not match the name of the site"

Posted on 2010-09-16
14
Medium Priority
?
730 Views
Last Modified: 2012-05-10
Hi All,

Please have a look to the attached Image. The problem is  "The name of the security certificate is invalid or does not match the name of the site".

I have an exchange server 2007 (sp1) with the FQDN.  newserver.mycompany.local
DNS entry for newserver in mycompany.local fwd zone
A (record) ----- newserver.mycompany.local ----- 192.168.1.100
I have another A record entry in mycompany.com fwd zone
A (record) ------ mail1.mycompany.com ------- 192.168.1.100

I am facing this issue for last one week. I have followed the steps but no luck. So far what I can understand the issue is certificates are newserver but they are being recognized with mail1.mycompany.com but may be i am wrong or doing any minor mistake.

http://support.microsoft.com/kb/940726/en-us

Can any body help me ? Please mention if you need any outputs from me.
thanks,

 Outlook Error
0
Comment
Question by:sysbase
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 6

Expert Comment

by:collins23
ID: 33691452
what certificate do you have configured in exchange ?
0
 
LVL 6

Expert Comment

by:collins23
ID: 33691506
using the following procedure to change the exchange certificate to mail1.mycompany.com


http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
0
 

Author Comment

by:sysbase
ID: 33691586
I am using selfsigned by default created certificated when we install exchange 2007.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:sysbase
ID: 33691654
certificates*.....

On client side when we view the certificates it say certificate status is ok.

Details:
CN = newserver
DNS Name=newserver
DNS Name=newserver.mycompany.local
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Key usage: Digital Signature, Key Encipherment (a0)
Basic Constraints: Subject Type=End Entity; Path Length Constraint=None
Thumbprint algorithm: sha1


anything i can provide more to solve this issue?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 33691713
Is this certificate being installed on the Exchange Server? If yes, then don't use the FQDN.
The certificate must match the name of the host where it resides.
0
 
LVL 17

Expert Comment

by:Ivan
ID: 33691735
Hi,

it seams that problem is with "Subject Alternative Name" field in certificates.
When creating certificate request have you used -DomainName part of command?
You can use it to specify more names for certificate such as...

New-ExchangeCertificate -DomainName newserver, newserver.mycompany.local, mail1, mycompany.local -Services SMTP or something like that

There is usefull link at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx 
0
 

Author Comment

by:sysbase
ID: 33692087
Here is some more output if tht helps

[PS] C:\>Get-ExchangeCertificate  | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {newserver, newserver.mycompany.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=newserver
NotAfter           : 31/08/2011 11:48:47
NotBefore          : 31/08/2010 11:48:47
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 968586B5E0E0D48841B8537839961079
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=newserver
Thumbprint         : 094ED70F1DB5DBA9957991A4AD8E357351213078


I think this is the problem ...  issuer is newserver and the certificates are installed with mail1.mycompany.com ...


what else I can look?
0
 

Author Comment

by:sysbase
ID: 33692161
agreed with spriggan13 it will be ok if we have
CertificateDomains : {mail1, mail.mycompany.com, newserver, newserver.mycompany.local}
rather than
CertificateDomains : {newserver, newserver.mycompany.local}

how can we work on it ?
0
 

Author Comment

by:sysbase
ID: 33692681
Would this be good approach to remvoe the existing certificates and then create and install new certificates?
any secure way to do that?
0
 
LVL 17

Accepted Solution

by:
Ivan earned 2000 total points
ID: 33695999
Hi

I dont think there is any need for removing cert first, before creating new one.
If you generate a new and assigne it for services you need, than it should simple override curent cert and it will work.

First generate new cert (something like this + key lenght, subject name, export private key)

New-ExchangeCertificate -DomainName newserver, newserver.mycompany.local, mycompany.local,  mail1.mycompany.com, autodiscover.mycompany.local  -Services IMAP, POP, IIS, SMTP

Then enable new cert for services:

Enable-ExchangeCertificate (you will need thumbprint of new cert for this, wich you can get with Get-ExchangeCertificate  | fl command)

At the end you can remove old cert with Remove-ExchangeCertificate followed with thumbprint of old cert (094ED70F1DB5DBA9957991A4AD8E357351213078)
0
 

Author Comment

by:sysbase
ID: 33699803
Hi spriqqan13,

Would you recommend to follow this URL
http://community.spiceworks.com/how_to/show/969

Waiting for a quick response.

Many thanks.

0
 
LVL 6

Expert Comment

by:collins23
ID: 33699886
Yes, that procedure should work for you.
0
 
LVL 17

Expert Comment

by:Ivan
ID: 33701146
Hi,

that link is ok.
 Basically you just need to generate cert the same way you did first time, but with that additional command " -DomainName newserver, newserver.mycompany.local, mycompany.local,  mail1.mycompany.com, autodiscover.mycompany.local " that will include all alternative names.

0
 
LVL 17

Expert Comment

by:Ivan
ID: 33701399
If im not wrong this should be it.

New-ExchangeCertificate -KeySize 2048
-SubjectName "CN=newserver.mycompany.local, DC=mycompany, DC=local"
-DomainName newserver, newserver.mycompany.local, mycompany.local,  mail1.mycompany.com, autodiscover.mycompany.local
-PrivateKeyExportable $True


Enable-ExchangeCertificate "thumbprint" -services IIS, SMTP, POP, IMAP

Remove-ExchangeCertificate 094ED70F1DB5DBA9957991A4AD8E357351213078
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question