sysbase
asked on
Exchange2007 certificates issue: "The name of the security certificate is invalid or does not match the name of the site"
Hi All,
Please have a look to the attached Image. The problem is "The name of the security certificate is invalid or does not match the name of the site".
I have an exchange server 2007 (sp1) with the FQDN. newserver.mycompany.local
DNS entry for newserver in mycompany.local fwd zone
A (record) ----- newserver.mycompany.local ----- 192.168.1.100
I have another A record entry in mycompany.com fwd zone
A (record) ------ mail1.mycompany.com ------- 192.168.1.100
I am facing this issue for last one week. I have followed the steps but no luck. So far what I can understand the issue is certificates are newserver but they are being recognized with mail1.mycompany.com but may be i am wrong or doing any minor mistake.
http://support.microsoft.com/kb/940726/en-us
Can any body help me ? Please mention if you need any outputs from me.
thanks,
Please have a look to the attached Image. The problem is "The name of the security certificate is invalid or does not match the name of the site".
I have an exchange server 2007 (sp1) with the FQDN. newserver.mycompany.local
DNS entry for newserver in mycompany.local fwd zone
A (record) ----- newserver.mycompany.local ----- 192.168.1.100
I have another A record entry in mycompany.com fwd zone
A (record) ------ mail1.mycompany.com ------- 192.168.1.100
I am facing this issue for last one week. I have followed the steps but no luck. So far what I can understand the issue is certificates are newserver but they are being recognized with mail1.mycompany.com but may be i am wrong or doing any minor mistake.
http://support.microsoft.com/kb/940726/en-us
Can any body help me ? Please mention if you need any outputs from me.
thanks,
what certificate do you have configured in exchange ?
using the following procedure to change the exchange certificate to mail1.mycompany.com
http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
ASKER
I am using selfsigned by default created certificated when we install exchange 2007.
ASKER
certificates*.....
On client side when we view the certificates it say certificate status is ok.
Details:
CN = newserver
DNS Name=newserver
DNS Name=newserver.mycompany.l ocal
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Key usage: Digital Signature, Key Encipherment (a0)
Basic Constraints: Subject Type=End Entity; Path Length Constraint=None
Thumbprint algorithm: sha1
anything i can provide more to solve this issue?
On client side when we view the certificates it say certificate status is ok.
Details:
CN = newserver
DNS Name=newserver
DNS Name=newserver.mycompany.l
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Key usage: Digital Signature, Key Encipherment (a0)
Basic Constraints: Subject Type=End Entity; Path Length Constraint=None
Thumbprint algorithm: sha1
anything i can provide more to solve this issue?
Is this certificate being installed on the Exchange Server? If yes, then don't use the FQDN.
The certificate must match the name of the host where it resides.
The certificate must match the name of the host where it resides.
Hi,
it seams that problem is with "Subject Alternative Name" field in certificates.
When creating certificate request have you used -DomainName part of command?
You can use it to specify more names for certificate such as...
New-ExchangeCertificate -DomainName newserver, newserver.mycompany.local, mail1, mycompany.local -Services SMTP or something like that
There is usefull link at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
it seams that problem is with "Subject Alternative Name" field in certificates.
When creating certificate request have you used -DomainName part of command?
You can use it to specify more names for certificate such as...
New-ExchangeCertificate -DomainName newserver, newserver.mycompany.local,
There is usefull link at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
ASKER
Here is some more output if tht helps
[PS] C:\>Get-ExchangeCertificat e | fl
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System
.Security.AccessControl.Cr yptoKeyAcc essRule, System.Securi
ty.AccessControl.CryptoKey AccessRule }
CertificateDomains : {newserver, newserver.mycompany.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=newserver
NotAfter : 31/08/2011 11:48:47
NotBefore : 31/08/2010 11:48:47
PublicKeySize : 2048
RootCAType : None
SerialNumber : 968586B5E0E0D48841B8537839 961079
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=newserver
Thumbprint : 094ED70F1DB5DBA9957991A4AD 8E35735121 3078
I think this is the problem ... issuer is newserver and the certificates are installed with mail1.mycompany.com ...
what else I can look?
[PS] C:\>Get-ExchangeCertificat
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {newserver, newserver.mycompany.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=newserver
NotAfter : 31/08/2011 11:48:47
NotBefore : 31/08/2010 11:48:47
PublicKeySize : 2048
RootCAType : None
SerialNumber : 968586B5E0E0D48841B8537839
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=newserver
Thumbprint : 094ED70F1DB5DBA9957991A4AD
I think this is the problem ... issuer is newserver and the certificates are installed with mail1.mycompany.com ...
what else I can look?
ASKER
agreed with spriggan13 it will be ok if we have
CertificateDomains : {mail1, mail.mycompany.com, newserver, newserver.mycompany.local}
rather than
CertificateDomains : {newserver, newserver.mycompany.local}
how can we work on it ?
CertificateDomains : {mail1, mail.mycompany.com, newserver, newserver.mycompany.local}
rather than
CertificateDomains : {newserver, newserver.mycompany.local}
how can we work on it ?
ASKER
Would this be good approach to remvoe the existing certificates and then create and install new certificates?
any secure way to do that?
any secure way to do that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi spriqqan13,
Would you recommend to follow this URL
http://community.spiceworks.com/how_to/show/969
Waiting for a quick response.
Many thanks.
Would you recommend to follow this URL
http://community.spiceworks.com/how_to/show/969
Waiting for a quick response.
Many thanks.
Yes, that procedure should work for you.
Hi,
that link is ok.
Basically you just need to generate cert the same way you did first time, but with that additional command " -DomainName newserver, newserver.mycompany.local, mycompany.local, mail1.mycompany.com, autodiscover.mycompany.loc al " that will include all alternative names.
that link is ok.
Basically you just need to generate cert the same way you did first time, but with that additional command " -DomainName newserver, newserver.mycompany.local,
If im not wrong this should be it.
New-ExchangeCertificate -KeySize 2048
-SubjectName "CN=newserver.mycompany.lo cal, DC=mycompany, DC=local"
-DomainName newserver, newserver.mycompany.local, mycompany.local, mail1.mycompany.com, autodiscover.mycompany.loc al
-PrivateKeyExportable $True
Enable-ExchangeCertificate "thumbprint" -services IIS, SMTP, POP, IMAP
Remove-ExchangeCertificate 094ED70F1DB5DBA9957991A4AD 8E35735121 3078
New-ExchangeCertificate -KeySize 2048
-SubjectName "CN=newserver.mycompany.lo
-DomainName newserver, newserver.mycompany.local,
-PrivateKeyExportable $True
Enable-ExchangeCertificate
Remove-ExchangeCertificate