Solved

exchange 2010 exchange certificates

Posted on 2011-09-15
10
311 Views
Last Modified: 2012-05-12
hello all thank you for your time

I just recently installed a exchange 2010 and I im having a slight issue with my outlook 2007 client after I log on.  i get a security alert and it seems to be lookign at my ssl certificate from my vendor for my owa domain.  I thought it would look at the self assigned on but it appears not to be the case.  the ssl certificate only list the owa domain so I thought I would remove the existing and reinstall a new one listing the local domainof the server in the "subject alternatives"

I cant rmove the existing one because it states that it will stop to transport service and to just create a new one.  when I create a new one it senses the thump print of the existing cert and wont complete the install ?

can anyone help me ?
0
Comment
Question by:jrojas1213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 36544745
Did you buy a SAN / UCC (Multi-Name) SSL certificate or just a single name certificate?

When you buy a certificate for Exchange 2007 / 2010, you will need to include the following names to keep Exchange and everything else happy:

mail.externaldomain.com (or whatever you chose)
autodiscover.externaldomain.com
internalservername.internaldomain.local
internalservername

If you don't have ALL of the above names, then you will receive a certificate error somewhere in Outlook, OWA or Activesync.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 36545024
yes that is my problem I am trying to fix it but  please read the problem I am having

"I cant rmove the existing one because it states that it will stop to transport service and to just create a new one.  when I create a new one it senses the thump print of the existing cert and wont complete the install ?
"
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 36545045
i kneed to know how to remove so I can update it with exactly what you said

mail.externaldomain.com (or whatever you chose)
autodiscover.externaldomain.com
internalservername.internaldomain.local
internalservername
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36545071
If you run the New Certificate wizard, generate a new Certificate Signing Request and then take that to your certificate provider, then re-key your certificate using the new request, get a new certificate issued, download the new certificate, install it on your Exchange server, enable it and assign services to it, then you can remove the incorrect certificate.

Leave the Exchange self-signed certificate alone.  It won't do any harm.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 36545532
yeah i just learned that its a single domain certificate.  so that is my problem.  my predecessor used rapidssl and they are expensive.  godaddy appears alot cheaper have you heard any issues with there certs ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36545738
No - they are fine - I use one from my GoDaddy Reseller Account.  The GoDaddy Reseller Account is actually cheaper than GoDaddy themselves!!
0
 
LVL 1

Assisted Solution

by:makyj
makyj earned 250 total points
ID: 36548741
We had a similar problem with our rapidssl certificate, and found that creating proxy exceptions via GP in local machines for the exchange ip and FQDN resolved this problem for us.

Might be a different issue, but worked for us...
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 36549024
makyj, that seems like an interesting solution do you mean group policy when you say "gp" and could you provide what policy you configured to correct this thanks.

0
 
LVL 1

Expert Comment

by:makyj
ID: 36550967
Sorry - Yes GP = group policy.

I added proxy exceptions to IE via group policy.  Will post exact location and content when I am back in front of PC - few hours time.
0
 
LVL 1

Expert Comment

by:makyj
ID: 36551385
jrojas1213:

Here are the Group Policy on our Windows 2008 DC

User Configuration > Policies > WIndows Settings > Internet Explorer Maintenence > Connection > Proxy Settings | Exceptions

- Do not use proxy server flor local (intranet) addresses = Enabled
- Do not use proxy server addresses beginning with:
localhost
127.0.0.1
internalmailservername.local.externaldomain.com.au
mail.externaldomain.com.au
externaldomain.com.au
*.externaldomain.com.au

I realise some of these are duplicates, but if I give you all of them, hopefully they will work for you as well...  HTH
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question