Exchange SSL Certificate Error on LAN

We setup a 2010 exchange server.  We keep getting a certificate error pointing to autodiscover.domain.org and dc1.domain.org


The certificate (when I click view) shows up as:
Ensures the identity of a remote computer
All issuance policies

Issued to: domain.org
Issued by: domain.org
Valid from: 3/27/2011 to 3/27/2016



Now I don't want to have to purchase a certificate if were only using this internally.  Is there anyway for me to fix this without having to purchase one?  (Using domain.org as an example).  We have server 2008 standard sp2 and exchange 2010.
LVL 1
cmb991Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James HaywoodCommented:
Check your send connector. See if you have the 'use external dns' checkbox selected. If so uncheck it.
cmb991Author Commented:
Use the External DNS Lookup settings on the transport server is not checked.  I am using a smart host though... smtp.comcast.net.  On my server configuration -> hub transport -> External DNS Lookup; I have Use network card DNS settings.  The network cards dns is pointing for my dns server.
tomotCommented:
When certificate is being verified, 3 things are checked
1.      Issuing CA has to be valid and reachable
2.      The host name must match to one of the names on the certificate (you would need SAN cert. for multiple names so you can include autodiscover.YuorDomain.com)
3.      The cert has to be valid in terms of date validity (cannot be expired)
The error you are getting is most likely related to point number 1. It cannot verify the issuing CA.
For self-signed certificate, each machine (Outlook client) that connects to the CAS would also have to have the CAS certificate in its “Trusted Certificate Authorities” store. If this is not possible, then you would have to issue a certificate to your CAS with one of the domain Certificate Authorities (if you have one set up). This Domain CA certificate would have to be published in your Active Directory as a trusted CA.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

cmb991Author Commented:
One thing I did notice is I can't access /certsrv.  Could the certs not be able to be pulled down from there?
cmb991Author Commented:
Another thing on the certs when connecting with outlook, the fail is on 'The name on the security certificate is invalid or does not match the name of the site.'
tomotCommented:
certificates are not verified from that URL.
http://CAserver/certsrv/

That URL is only for users to log in to request a certificate. If that URL is not accessible, that could mean that you did not install web enrollment support for certificate services.
cmb991Author Commented:
I thought certsrv would show up in the iis manager.  So I guess it comes down to the name on the certificate is wrong?   Does that look wrong above?
tomotCommented:
That is correct, "certsrv" is one of the virtual directories in IIS on Certificate Authority if "web enrollment support for certificate services" is enabled (windows feature).

What kind of certificate error are you getting exactly when opening Outlook?
cmb991Author Commented:
'The name on the security certificate is invalid or does not match the name of the site.'

The certificate name and settings are in my original post.
tomotCommented:
Microsoft's explanation that is specific to your cert error:

The common name that you specified when you generated the certificate request for that Web site does not match the URL that is used to access the Web site.
To avoid this warning, make sure that the common name that is specified when you generate the certificate request matches the URL that will be used to access the site.

If the URL that will be used to access the site cannot be changed to match the common name on the certificate, follow these steps:
1.      Create another certificate request. Make sure that the common name matches the URL that is used to access the Web site.
2.      Have your certification authority generate a new certificate.
3.      Use the new certificate for the Web site.
cmb991Author Commented:
Okay but if I'm getting this certificate error poping up twice, both with different names (autodiscover.domain.org and dc1.domain.org) then do I have to create two certificates matching both of those names?
tomotCommented:
all you have to do is to create a SAN certificate. SAN (Subject Alternative Names) certificates allows you to put multiple names on one certificate.
Here is a good explanation of what names should be on Exchange 2007 SAN certificate:

http://www.digicert.com/ssl-support/exchange-2007-san-names.htm
cmb991Author Commented:
Now I'm getting confused.  All this did was give me the New Certificate Request code in the txt file.  Where am I suppose to put that if I'm trying to create a self signed certificate since were only using this internally and I don't want to have to pay for a certificate when we really don't need one.  I tried to use the CA SRV but there is no spot to put this.  
tomotCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cmb991Author Commented:
That seemed to work but when I try to access Outlook off-site on a computer that is not on the domain, I get a certificate error that says 'The security certificate was issued by a company you have not chosen to trust.  View the certificate to determine weather you want to trust the certifying authority'.

This is normal correct?  Because the computer is not on the domain so it can't verify it since its self signed??
cmb991Author Commented:
I also keep getting an error that says 'There is a problem with the proxy server's security certificate.  The security certificate is not from a trusted certifying authority.'  Trying to access outlook off-site on a nondomain pc.  I'm assuming its the same case as above, because the certificate is self signed?
tomotCommented:
You are using RPC over HTTPS (Outlook Anywhere) and that is why you are getting the proxy server's security certificate error.
the trust error is a the symptom of the self-signed certificate.
Here is why.
let's say that your CAS is cas1.contoso.local and it issues itself a certificate. So the certificate Authority for that certificate is
cas1.contoso.local
When you access your CAS from the internet, it most likely has different public name for example
cas1.contoso.com
and that name is not trusted as a trusted CA
cmb991Author Commented:
Okay but from what you explained, that can't be fixed from a self signed certificate then correct?
tomotCommented:
not in this case where public names of CAS differs from the LAN/private name
cmb991Author Commented:
Well the name doesn't differ.... Its always autodiscovery.domain.org and mail.domain.org.  Within the LAN I have a host an mx record pointing it to the exchange server and a few other records doing the same and on the WAN side I have a records pointing it to mail.domain.org and then mail.domain.org points to the public ip
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.