Avatar of c7oi
c7oi
Flag for United States of America asked on

How to make Exchange 2010 to be the the Primary SSL Cert for Outlook Client?

Our Outlook Clients are getting the SSL Certificate from Exchange 2007 Server which just expired a few days ago.  And users are getting a POP-UP Securty Alert stating the security certificate has expired or is not yet valid.  But my OWA is getting the SSL Certificate from Exchange 2010 Server.

How do I make the Exchange 2010 SSL Certificate to be the Primary for our Outlook Clients?  So the Security Alert Pop-Up will disappear.

Thank You

OutlookExchange

Avatar of undefined
Last Comment
c7oi

8/22/2022 - Mon
Suliman Abu Kharroub

"How do I make the Exchange 2010 SSL Certificate to be the Primary for our Outlook Clients?  So the Security Alert Pop-Up will disappear."

It will not solve the issue ... the best way is to renew the certificate.
Suliman Abu Kharroub

btw: you can get a public certificate for free...check it in http://startssl.com
c7oi

ASKER
My Exchange 2010 Server Certificate is not expired until 2015.  Somehow the Microsoft Outlook Clients is seeing the SSL Certificate on the Exchange 2007 SSL Certificate.  I am planning to decom my Exchange 2007 Server.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Suliman Abu Kharroub

what are the names listed in this certificate ?

how many servers do you have? what roles each one holds?

if this certificate work find for clients connected to 2007 CAS server.. just export it ( include the private key) and import it in the 2010 CAS and assign services to it.
c7oi

ASKER
I just have one Exchange 2010 Server that holds CAS, HUB & Mailbox and the  Exchange 2007 Server that we migrate from.


The thing is OWA sees the right SSL Cert from Exchange 2010 and the Workstation that has MS Outlook Clients sees the SSL Cert on Exchange 2007.
Suliman Abu Kharroub

From EMC, re-assign services to this certificate and restart exchange services as in attached. If that does not solve the issue, please re create the outlook profile and test again.
Capture.JPG
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
prashantjain

renew the certificate

it should be a san/uc certificate

san names should be correctly listed
c7oi

ASKER
Here are the Certificate I have on my Exchange 2010 server.  Will the renew Cert be a self sign cert?
cert.jpg
prashantjain

its not clear if it is a SAN/UC Certificate.

why deploy a self signed certificate and live with the prompts

geotrust, digicert, globalsign, godaddy - so many inexpensive options are there from trusted CAs
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
c7oi

ASKER
Can you give me the steps to create a SAN/UC certificate.
Suliman Abu Kharroub

Not all of the above certificates are needed... just keep the one that includes the correct names and delete the rest ( you can take an offilne copy before deletion).
c7oi

ASKER
How do I verify that I have the correct SAN/UC Certificate from the main one?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Suliman Abu Kharroub

Suliman Abu Kharroub

c7oi

ASKER
I confirm that my SAN/UC Certification is correct on my Exchange 2010 Server.  OWA is receiving the Exchange 2010 SSL Cert but not on any of my Outlook Clients.  All internal users Outlook Clients are still getting their SSL Cert from Exchange 2007 server.
Cert.png
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Suliman Abu Kharroub

when you click view certificate, does it show the correct certificate ?

another thing, right click on outlook icon in system tray while hold down ctrl key --> connection status. where does outlook trying to connect ? which server?
c7oi

ASKER
Outlook Client is seeing Exchange 2007 SSL Certificate not the Exchange 2010 Certificate

The connecting status is to Exchange 2010 Server.

FYI.
email = Exchange 2010
email2 = Exchange 2007
EmailTest.png
Suliman Abu Kharroub

OD you tried to re-create outlook profile ? delete and create again in one of the clients please.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
c7oi

ASKER
Yes.  Creating a New Profile (manually) still giving me the SSL Cert from Exchange 2007.

Inaddition Info:
If I create the profile with Auto Config, It sees the Exchange 2007 Server and the Security Alert PoP up.

ASKER CERTIFIED SOLUTION
Suliman Abu Kharroub

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
c7oi

ASKER
I already have an A record in my DNS server autodiscover.domain.ca to Exchange 2010.

Before I redirect the autodiscover from exchange 2007 to exchange 2010 as the defualt website, Is there anything else I need to be aware of?  

I have moved all my mailboxes to Exchange 2010, OWA users are on Exchange 2010, the only thing is the emails are going out from exchange 2010 to exchange 2007

When I use the get commands for the autodiscover URL, I can see both Exchange 2007 and Exchange 2010 information listed.
Suliman Abu Kharroub

>>Before I redirect the autodiscover from exchange 2007 to exchange 2010 as the defualt website, Is there anything else I need to be aware of?  "

no , nothing
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
c7oi

ASKER
I got an error message trying to run the first cmdlet.
[PS] C:\>Set-ClientAccessServer -Identity "email.
xxx.com" -AutodiscoverServiceInternalUri https://email.xxx.com/autodiscover/autodiscover.xml

Error:

Set-ClientAccessServer : Object 'CN=EMAIL,CN=Servers,CN=Exchange Administrative
 Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=xxx Company
d,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=xxx,DC=com' is read-
only to the current version of Exchange.
c7oi

ASKER
This cmdlet was run on the Exchange 2007 Server.