Solved

SBS Exchange 2007 certificate error issue

Posted on 2011-02-28
36
417 Views
Last Modified: 2012-05-11
hi
i have bought the certificate from third party however i am still getting the error as attached.
server configuration
i have assigned server to one of my sub domain
remote.mydomain.com


exchange server to
mail.mydomain.com

both of the domains are forwarded to my ip address now when i created a certificate i have added the mail as well server domain in the generation process but it still doesnt work i have tried to do via wild cards which includes all the sub domain but it didnt succeed either.

the ip address i am assigining to is my internet provider which ressolve to something of the provider sub domain name please advice how to fix this issue


security-certificate.JPG
0
Comment
Question by:mattibutt
  • 18
  • 13
  • 4
36 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34997187
The names you need to include in SBS 2008 for a SAN / UCC certificate are as follows:

remote.domain.com (or whatever you chose when configuring SBS)
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
sites

If you don't have these in your certifcate, please re-key the certificate and the problem should go away.

Alan
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34997287
hi
these are so far clear

emote.domain.com (or whatever you chose when configuring SBS)
autodiscover.domain.com
internalservername.internaldomain.local

how do i create for the following also
internalservername
sites

is there a guide to create a certificate for all these domains

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997302
Personally - I use the following tool to generate a Certificate Signing Request for Exchange 2007:

https://www.digicert.com/easy-csr/exchange2007.htm

I then upload the output to the server, run the command in the Exchange Management Shell, take the CSR request to the certificate provider, post the request, approve the request, download the certificate, install the certificate and then apply the certificate.
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34997414
hi
i am trying to generate the certificate now i am getting the error which was my domain name

Domain name mismatch. Domain in the CSR 'mail.domain.com' does not match the domain of the original certificate 'remote.domain.com'.

can i include in the generation list remote.domainname.com?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997441
You can include what you like - but it depends on the amount of Subject Alternative Names you have purchased for the certificate.

Do you need remote.domain.com and mail.domain.com?
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34997527
i have assigned my server to the remote.domain.com the following i am putting in the generation tool you sent me.


autodiscover.domain.com
Server1.Domain.local
Server1
Sites
remote.domain.com

if it covers everything please advice

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997533
Yes - that should be fine.
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34997576
the problem is i am getting the following error now
Domain name mismatch. Domain in the CSR 'mail.domain.com' does not match the domain of the original certificate 'remote.domain.com'.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997591
Recreate the CSR omitting mail.domain.com and make sure remote.domain.com is the primary domain name.
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34997614
so i can add mail.domain.com in the 2nd box instead of first box?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997632
How many names can you add to your certificate?  5 / 10 or more?

If you only bought a 5 name SAN / UCC certificate - you can't have the following:

mail.domain.com
remote.domain.com
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
sites

That's 6 names.  One has to go or you need to buy a 10 name SAN / UCC cert.
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34997650
i can add upto 25 names now i have generated the certificate where do i install it on exchange or IIS? if on exchange what will do to create this on exchange

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997693
0
 
LVL 6

Expert Comment

by:AhmedHERMI
ID: 34997768
Hi :),
sorry i was working on another question so i putted the answear in the wrong place :) ,
but coming back to the asked question i've made a pdf file that explains how this error appears and how to fix it .
http://www.mediafire.com/?nkasheu41daezt8

hope this will work for you .

Ahmed
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34997820
no problem i am catching the following error


[PS] C:\Windows\System32>Import-ExchangeCertificate -path c:\remote_domain_com.p7s
| Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP
Enable-ExchangeCertificate : Service is not installed.
Parameter name: Services
At line:1 char:84
+ Import-ExchangeCertificate -path c:\remote_domain_com.p7s | Enable-ExchangeCerti
ficate  <<<< -Services IMAP, POP, UM, IIS, SMTP
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997895
Have you installed the UM service on your server?  If not - please don't include it.
0
 
LVL 6

Expert Comment

by:AhmedHERMI
ID: 34997900
you need to enable Exchange services to use this certificate, first you must run the following command:
 
Get-ExchangeCertificate
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 6

Expert Comment

by:AhmedHERMI
ID: 34997925
And don't include UM service if you didn't installed it :).
thanks alanhardisty :)

Ahmed
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34997958
AhmedHERMI - there is no need to repeat what I have already posted.  If you have nothing new to add to a thread that hasn't already been posted - please refrain from posting.
0
 
LVL 6

Expert Comment

by:AhmedHERMI
ID: 34998333
well sorry man :), just wanted to thank you for the comment :)




0
 
LVL 11

Author Comment

by:mattibutt
ID: 34998514
hi Alan

do i need to install intermediate licence on the server or no?
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34998709
hi Alan
i am still receiving the same error message despite going through all the steps the error is still the same
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34998936
hi
i have just discovered my remote.domain.com was still assigned to the web hosting ip i am hoping this may solve the problem
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34998943
You may need to install the intermediate certificate and disable the GoDaddy Class 2 Certificates as per the link below:

http://help.godaddy.com/topic/742/article/4801

What name are you trying to connect to in Outlook that would be causing the error?
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34999040
hi
i am not using geodaddy i am using https://www.geotrust.com/ i have just assigned my server ip to the remote.domain.com from web hosting control panel
in outlook i am trying with server1.domain.local
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34999356
hi
i have installed the intermediate certificate as well so far no luck i am assuming the issue is with remote.domain.com dns update since i have updated it about an hour ago and now i have assigned it to my server
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34999382
hi
my only concern is the actual ip address do you think the ip will cause any problem?
0
 
LVL 11

Author Comment

by:mattibutt
ID: 34999485
i have also tried mail.domain.com in outlook settings
0
 
LVL 11

Author Comment

by:mattibutt
ID: 35027607
hi Alan
i have cancelled my current certificate and now i am using the godaddy but my problem is still there i am still getting this error
the name on the security certificate is invalid or does not match the name of the site
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35027742
Okay - so what names are included in your certificate and what name (FQDN) are you using to access the server via Outlook?
0
 
LVL 11

Author Comment

by:mattibutt
ID: 35028194
mail.domain.com
remote.domain.com
server1.domain.local


outlook access is via
server1.domain.local
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35028292
Okay - is it still the same error as the original one - image in the question show sites as the problem?
0
 
LVL 11

Author Comment

by:mattibutt
ID: 35028469
yes
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35028593
Okay - so what are you doing when the error pops up?
0
 
LVL 11

Author Closing Comment

by:mattibutt
ID: 35028822
i have regenerated the certificate by adding sites as a alternative subject name and it worked looks like your original instructions were correct it was the issue with geotrust certificate and i didnt add the sites in godaddy certificate when i did the error is gone thanks so much Alan
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now