Solved

Help with Self-Signed Exchange 2007 Certificate:

Posted on 2011-09-22
12
567 Views
Last Modified: 2012-05-12
Hi all.
Here's the situation.
We have a domain named "MyDomain" and already have a self-signed certificate on the Exchange 2007 server.  We'll call the Exchange server "MyExchangeServer".
The domain has a netbios name of "DomainNB" and the FQDN is known as "Domain.Local".
The self-signed certificate on the Exchange server reads "MyExchangeServer" but when accessing OWA you get a certificate warning stating that the name is mismatched.  This is because the OWA address is "https://webmail.domain.com/owa".
I'd like to add this OWA address into the current certificate or create a new one which includes the info from the current cert along with the OWA address.
I found a very helpful article which explains how to do just through the Exchange Management Shell:
http://www.emailsecuritymatters.com/site/blog/best-practices/how-to-create-self-signed-ssl-certificate-exchange-2003-2007-2010-windows/
The issue is the example they give is a little confusing to me and I was hoping someone can give me instructions in plain english, using my domain info above so I can accomplish this.
FYI - the whole reason I'm doing this is because I have a demo Windows 7 phone I'm trying to connect to the Exchange server and it won't connect because of the certificate name mismatch.  I'm assuming once this new certificate is created and placed in the Exchange server's Trusted Root Certification Authorities folder I'll be able to connect with the phone successfully.

One more thing is that when I browse the "local computer" certificates on the Exchange server, I find the self-signed certificate.  It is not currently in the "Trusted Root Certification Authorities" folder.  Is this going to be an issue?

Any help would be appreciated.
0
Comment
Question by:homerslmpson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 4

Expert Comment

by:AmonPereira
ID: 36579890
Hi,

First you need to enable Windows CA to issue SAN certificates (certs with multiple names). By default Windows CA only issues single certs.

There a link below which explains it better.

http://forums.kerio.com/t/15907/procedure-generate-ssl-certificate-using-multiple-names/

Let me know if it helped you.
0
 
LVL 4

Expert Comment

by:AmonPereira
ID: 36579893
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 36580015
OK so here's what happened.
I went ahead and followed the original link's instructions like a dope.
The certificate was created.
I verified OWA is still accessible from outside the network and it is.
The problem is you still get a certificate warning, this time stating that the certificate wasn't issued by a trusted certificate authority.
Of course the Windows phone still won't let me connect to Outlook.
To make matters worse, an Outlook 2010 user is now getting prompted to accept a certificate every time he opens Outlook.
I tried "installing" the certificate onto his machine but it doesn't seem to matter.
There are only 3 Outlook 2010 users and I'm going to assume this will only affect them but of course, we'll have more eventually and I'd like to get past this.
What the hell did I do?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 4

Accepted Solution

by:
AmonPereira earned 500 total points
ID: 36580107
Homer,

To me there is only 2 options to solve this.

1 - Add certificate to Mobile device;
2 - Issue a valid SAN certificate.

I know SAN cert can be very expensive, but there is some options quite cheap.

Please check this one:

http://certificatesforexchange.com/

Using this one, you might bypass this issue with no worry.

Let me know if it helped you.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 36580227
Well I already emailed myself the certificate and installed it on the phone which apparently installed no problem but something is off.

For a price of $30 a year, this is definitely something to consider but this was kind of done without my managers knowledge and I don't want to have to ask for approval to get the cert, etc if I can help it.

I'm noticing that there are 2 certificates in the "Trusted Root Certification Authorities" folder on the Exchange serer that look identical.  They both have the name "MyExchangeServer.domain.local" and were "issued by" that same name name (MyExchangeServer.domain.local).

In the "Personal" certificates folder on the Exchange server there are 2 certificates that caught my attention.  The first one is named "MyExchangeServer" and there is no domain in the name.  This was the one that was here the whole time.
There is also the new one I created which states it's issued to "webmail.MyDomain.com" and was issued by "MyExchangeServer.domain.local".

I feel like this is a very simple fix for someone that has a strong understanding of what I'm trying to do and knows enough about certificates to help.
0
 
LVL 4

Expert Comment

by:AmonPereira
ID: 36580448
Please provide more information about your mobile OS.

Once i was in project which i had to disable mobile cert signing to make it works.

Im waiting...

0
 
LVL 1

Author Comment

by:homerslmpson
ID: 36581307
Very sorry for the delay.

I explained to my manager the situation and I got approval to go ahead and by the $30 SSL cert on the site you mentioned.

Is there anything I need to know about getting / applying this cert?  Perhaps I need to remove all of the previous created self-signed certs or move them elsewhere?

The mobile OS is Windows Phone 7 (Verizon HTC Trophy).

I've been reading nothing but horror stories when it comes to getting these phones to connect to Exchange.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 36582241
Of course the $30 SSL cert is the wrong one.
It needs to be the $60 per year USS SSL cert which I didn't get approval for.
0
 
LVL 4

Expert Comment

by:AmonPereira
ID: 36582515
Homer,

There is a way of using Exchange 2010 with a Single SSL Cert.

I found an article that might help you out.

http://cohesivelogic.com/2011/01/exchange-2010-single-name-ssl-certificates/

Let me know if it helps.
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 36582579
That seems a bit more advanced than I'd like to get.
It's talking about modifying DNS, etc.
I can't believe this is so tricky.
I'm waiting on approval from my manager to spend the $60 as opposed to the $30 I already got approved for but in the mean time I'm trying to see if there is a free solution that actually works.
0
 
LVL 4

Expert Comment

by:AmonPereira
ID: 36582651
None i have know of.

But its possible and it works, i have done this once for a customer and it worked quite well.

If you are not going do it, please close the question.

Any more help, you can count on us.

Bye.
0
 
LVL 1

Author Closing Comment

by:homerslmpson
ID: 36600929
I went ahead and purchased a certificate from the link you provided but the $30 one wasn't the right one.  I needed to get the $60 one.  I just submitted the request for the certificate and am waiting to get it.
Assuming this takes care of the issue, this question can be closed.
Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question