c7oi
asked on
How to make Exchange 2010 to be the the Primary SSL Cert for Outlook Client?
Our Outlook Clients are getting the SSL Certificate from Exchange 2007 Server which just expired a few days ago. And users are getting a POP-UP Securty Alert stating the security certificate has expired or is not yet valid. But my OWA is getting the SSL Certificate from Exchange 2010 Server.
How do I make the Exchange 2010 SSL Certificate to be the Primary for our Outlook Clients? So the Security Alert Pop-Up will disappear.
Thank You
How do I make the Exchange 2010 SSL Certificate to be the Primary for our Outlook Clients? So the Security Alert Pop-Up will disappear.
Thank You
btw: you can get a public certificate for free...check it in http://startssl.com
ASKER
My Exchange 2010 Server Certificate is not expired until 2015. Somehow the Microsoft Outlook Clients is seeing the SSL Certificate on the Exchange 2007 SSL Certificate. I am planning to decom my Exchange 2007 Server.
what are the names listed in this certificate ?
how many servers do you have? what roles each one holds?
if this certificate work find for clients connected to 2007 CAS server.. just export it ( include the private key) and import it in the 2010 CAS and assign services to it.
how many servers do you have? what roles each one holds?
if this certificate work find for clients connected to 2007 CAS server.. just export it ( include the private key) and import it in the 2010 CAS and assign services to it.
ASKER
I just have one Exchange 2010 Server that holds CAS, HUB & Mailbox and the Exchange 2007 Server that we migrate from.
The thing is OWA sees the right SSL Cert from Exchange 2010 and the Workstation that has MS Outlook Clients sees the SSL Cert on Exchange 2007.
The thing is OWA sees the right SSL Cert from Exchange 2010 and the Workstation that has MS Outlook Clients sees the SSL Cert on Exchange 2007.
From EMC, re-assign services to this certificate and restart exchange services as in attached. If that does not solve the issue, please re create the outlook profile and test again.
Capture.JPG
Capture.JPG
renew the certificate
it should be a san/uc certificate
san names should be correctly listed
it should be a san/uc certificate
san names should be correctly listed
ASKER
Here are the Certificate I have on my Exchange 2010 server. Will the renew Cert be a self sign cert?
cert.jpg
cert.jpg
its not clear if it is a SAN/UC Certificate.
why deploy a self signed certificate and live with the prompts
geotrust, digicert, globalsign, godaddy - so many inexpensive options are there from trusted CAs
why deploy a self signed certificate and live with the prompts
geotrust, digicert, globalsign, godaddy - so many inexpensive options are there from trusted CAs
ASKER
Can you give me the steps to create a SAN/UC certificate.
Not all of the above certificates are needed... just keep the one that includes the correct names and delete the rest ( you can take an offilne copy before deletion).
ASKER
How do I verify that I have the correct SAN/UC Certificate from the main one?
Open the certificate properties ---> it and look at SAN attribute..it should be like in the blow link:
http://www.google.jo/imgres?q=san+certificate&um=1&hl=ar&sa=N&tbm=isch&tbnid=p5uQ4pYFQbrhxM:&imgrefurl=http://ssl.entrust.net/blog/%253Fp%253D784&docid=F0CLDptW7KfqvM&w=419&h=521&ei=KRtETtmPKYep8QOKtqzsBQ&zoom=1&iact=hc&vpx=187&vpy=227&dur=1110&hovh=250&hovw=201&tx=116&ty=151&page=1&tbnh=150&tbnw=121&start=0&ndsp=19&ved=1t:429,r:17,s:0&biw=1366&bih=601
http://www.google.jo/imgres?q=san+certificate&um=1&hl=ar&sa=N&tbm=isch&tbnid=p5uQ4pYFQbrhxM:&imgrefurl=http://ssl.entrust.net/blog/%253Fp%253D784&docid=F0CLDptW7KfqvM&w=419&h=521&ei=KRtETtmPKYep8QOKtqzsBQ&zoom=1&iact=hc&vpx=187&vpy=227&dur=1110&hovh=250&hovw=201&tx=116&ty=151&page=1&tbnh=150&tbnw=121&start=0&ndsp=19&ved=1t:429,r:17,s:0&biw=1366&bih=601
ASKER
I confirm that my SAN/UC Certification is correct on my Exchange 2010 Server. OWA is receiving the Exchange 2010 SSL Cert but not on any of my Outlook Clients. All internal users Outlook Clients are still getting their SSL Cert from Exchange 2007 server.
Cert.png
Cert.png
when you click view certificate, does it show the correct certificate ?
another thing, right click on outlook icon in system tray while hold down ctrl key --> connection status. where does outlook trying to connect ? which server?
another thing, right click on outlook icon in system tray while hold down ctrl key --> connection status. where does outlook trying to connect ? which server?
ASKER
Outlook Client is seeing Exchange 2007 SSL Certificate not the Exchange 2010 Certificate
The connecting status is to Exchange 2010 Server.
FYI.
email = Exchange 2010
email2 = Exchange 2007
EmailTest.png
The connecting status is to Exchange 2010 Server.
FYI.
email = Exchange 2010
email2 = Exchange 2007
EmailTest.png
OD you tried to re-create outlook profile ? delete and create again in one of the clients please.
ASKER
Yes. Creating a New Profile (manually) still giving me the SSL Cert from Exchange 2007.
Inaddition Info:
If I create the profile with Auto Config, It sees the Exchange 2007 Server and the Security Alert PoP up.
Inaddition Info:
If I create the profile with Auto Config, It sees the Exchange 2007 Server and the Security Alert PoP up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I already have an A record in my DNS server autodiscover.domain.ca to Exchange 2010.
Before I redirect the autodiscover from exchange 2007 to exchange 2010 as the defualt website, Is there anything else I need to be aware of?
I have moved all my mailboxes to Exchange 2010, OWA users are on Exchange 2010, the only thing is the emails are going out from exchange 2010 to exchange 2007
When I use the get commands for the autodiscover URL, I can see both Exchange 2007 and Exchange 2010 information listed.
Before I redirect the autodiscover from exchange 2007 to exchange 2010 as the defualt website, Is there anything else I need to be aware of?
I have moved all my mailboxes to Exchange 2010, OWA users are on Exchange 2010, the only thing is the emails are going out from exchange 2010 to exchange 2007
When I use the get commands for the autodiscover URL, I can see both Exchange 2007 and Exchange 2010 information listed.
>>Before I redirect the autodiscover from exchange 2007 to exchange 2010 as the defualt website, Is there anything else I need to be aware of? "
no , nothing
no , nothing
ASKER
I got an error message trying to run the first cmdlet.
[PS] C:\>Set-ClientAccessServer -Identity "email.
xxx.com" -AutodiscoverServiceIntern alUri https://email.xxx.com/autodiscover/autodiscover.xml
Error:
Set-ClientAccessServer : Object 'CN=EMAIL,CN=Servers,CN=Ex change Administrative
Group (FYDIBOHF23SPDLT),CN=Admin istrative Groups,CN=xxx Company
d,CN=Microsoft Exchange,CN=Services,CN=Co nfiguratio n,DC=xxx,D C=com' is read-
only to the current version of Exchange.
[PS] C:\>Set-ClientAccessServer
xxx.com" -AutodiscoverServiceIntern
Error:
Set-ClientAccessServer : Object 'CN=EMAIL,CN=Servers,CN=Ex
Group (FYDIBOHF23SPDLT),CN=Admin
d,CN=Microsoft Exchange,CN=Services,CN=Co
only to the current version of Exchange.
ASKER
This cmdlet was run on the Exchange 2007 Server.
It will not solve the issue ... the best way is to renew the certificate.