Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

SBS Exchange 2007 certificate error issue

hi
i have bought the certificate from third party however i am still getting the error as attached.
server configuration
i have assigned server to one of my sub domain
remote.mydomain.com


exchange server to
mail.mydomain.com

both of the domains are forwarded to my ip address now when i created a certificate i have added the mail as well server domain in the generation process but it still doesnt work i have tried to do via wild cards which includes all the sub domain but it didnt succeed either.

the ip address i am assigining to is my internet provider which ressolve to something of the provider sub domain name please advice how to fix this issue


security-certificate.JPG
0
mattibutt
Asked:
mattibutt
  • 18
  • 13
  • 4
1 Solution
 
Alan HardistyCo-OwnerCommented:
The names you need to include in SBS 2008 for a SAN / UCC certificate are as follows:

remote.domain.com (or whatever you chose when configuring SBS)
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
sites

If you don't have these in your certifcate, please re-key the certificate and the problem should go away.

Alan
0
 
mattibuttAuthor Commented:
hi
these are so far clear

emote.domain.com (or whatever you chose when configuring SBS)
autodiscover.domain.com
internalservername.internaldomain.local

how do i create for the following also
internalservername
sites

is there a guide to create a certificate for all these domains

thanks
0
 
Alan HardistyCo-OwnerCommented:
Personally - I use the following tool to generate a Certificate Signing Request for Exchange 2007:

https://www.digicert.com/easy-csr/exchange2007.htm

I then upload the output to the server, run the command in the Exchange Management Shell, take the CSR request to the certificate provider, post the request, approve the request, download the certificate, install the certificate and then apply the certificate.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
mattibuttAuthor Commented:
hi
i am trying to generate the certificate now i am getting the error which was my domain name

Domain name mismatch. Domain in the CSR 'mail.domain.com' does not match the domain of the original certificate 'remote.domain.com'.

can i include in the generation list remote.domainname.com?
0
 
Alan HardistyCo-OwnerCommented:
You can include what you like - but it depends on the amount of Subject Alternative Names you have purchased for the certificate.

Do you need remote.domain.com and mail.domain.com?
0
 
mattibuttAuthor Commented:
i have assigned my server to the remote.domain.com the following i am putting in the generation tool you sent me.


autodiscover.domain.com
Server1.Domain.local
Server1
Sites
remote.domain.com

if it covers everything please advice

thanks
0
 
Alan HardistyCo-OwnerCommented:
Yes - that should be fine.
0
 
mattibuttAuthor Commented:
the problem is i am getting the following error now
Domain name mismatch. Domain in the CSR 'mail.domain.com' does not match the domain of the original certificate 'remote.domain.com'.
0
 
Alan HardistyCo-OwnerCommented:
Recreate the CSR omitting mail.domain.com and make sure remote.domain.com is the primary domain name.
0
 
mattibuttAuthor Commented:
so i can add mail.domain.com in the 2nd box instead of first box?
0
 
Alan HardistyCo-OwnerCommented:
How many names can you add to your certificate?  5 / 10 or more?

If you only bought a 5 name SAN / UCC certificate - you can't have the following:

mail.domain.com
remote.domain.com
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
sites

That's 6 names.  One has to go or you need to buy a 10 name SAN / UCC cert.
0
 
mattibuttAuthor Commented:
i can add upto 25 names now i have generated the certificate where do i install it on exchange or IIS? if on exchange what will do to create this on exchange

thanks
0
 
Alan HardistyCo-OwnerCommented:
0
 
AhmedHERMICommented:
Hi :),
sorry i was working on another question so i putted the answear in the wrong place :) ,
but coming back to the asked question i've made a pdf file that explains how this error appears and how to fix it .
http://www.mediafire.com/?nkasheu41daezt8

hope this will work for you .

Ahmed
0
 
mattibuttAuthor Commented:
no problem i am catching the following error


[PS] C:\Windows\System32>Import-ExchangeCertificate -path c:\remote_domain_com.p7s
| Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP
Enable-ExchangeCertificate : Service is not installed.
Parameter name: Services
At line:1 char:84
+ Import-ExchangeCertificate -path c:\remote_domain_com.p7s | Enable-ExchangeCerti
ficate  <<<< -Services IMAP, POP, UM, IIS, SMTP
0
 
Alan HardistyCo-OwnerCommented:
Have you installed the UM service on your server?  If not - please don't include it.
0
 
AhmedHERMICommented:
you need to enable Exchange services to use this certificate, first you must run the following command:
 
Get-ExchangeCertificate
0
 
AhmedHERMICommented:
And don't include UM service if you didn't installed it :).
thanks alanhardisty :)

Ahmed
0
 
Alan HardistyCo-OwnerCommented:
AhmedHERMI - there is no need to repeat what I have already posted.  If you have nothing new to add to a thread that hasn't already been posted - please refrain from posting.
0
 
AhmedHERMICommented:
well sorry man :), just wanted to thank you for the comment :)




0
 
mattibuttAuthor Commented:
hi Alan

do i need to install intermediate licence on the server or no?
0
 
mattibuttAuthor Commented:
hi Alan
i am still receiving the same error message despite going through all the steps the error is still the same
0
 
mattibuttAuthor Commented:
hi
i have just discovered my remote.domain.com was still assigned to the web hosting ip i am hoping this may solve the problem
0
 
Alan HardistyCo-OwnerCommented:
You may need to install the intermediate certificate and disable the GoDaddy Class 2 Certificates as per the link below:

http://help.godaddy.com/topic/742/article/4801

What name are you trying to connect to in Outlook that would be causing the error?
0
 
mattibuttAuthor Commented:
hi
i am not using geodaddy i am using https://www.geotrust.com/ i have just assigned my server ip to the remote.domain.com from web hosting control panel
in outlook i am trying with server1.domain.local
0
 
mattibuttAuthor Commented:
hi
i have installed the intermediate certificate as well so far no luck i am assuming the issue is with remote.domain.com dns update since i have updated it about an hour ago and now i have assigned it to my server
0
 
mattibuttAuthor Commented:
hi
my only concern is the actual ip address do you think the ip will cause any problem?
0
 
mattibuttAuthor Commented:
i have also tried mail.domain.com in outlook settings
0
 
mattibuttAuthor Commented:
hi Alan
i have cancelled my current certificate and now i am using the godaddy but my problem is still there i am still getting this error
the name on the security certificate is invalid or does not match the name of the site
0
 
Alan HardistyCo-OwnerCommented:
Okay - so what names are included in your certificate and what name (FQDN) are you using to access the server via Outlook?
0
 
mattibuttAuthor Commented:
mail.domain.com
remote.domain.com
server1.domain.local


outlook access is via
server1.domain.local
0
 
Alan HardistyCo-OwnerCommented:
Okay - is it still the same error as the original one - image in the question show sites as the problem?
0
 
mattibuttAuthor Commented:
yes
0
 
Alan HardistyCo-OwnerCommented:
Okay - so what are you doing when the error pops up?
0
 
mattibuttAuthor Commented:
i have regenerated the certificate by adding sites as a alternative subject name and it worked looks like your original instructions were correct it was the issue with geotrust certificate and i didnt add the sites in godaddy certificate when i did the error is gone thanks so much Alan
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 18
  • 13
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now