?
Solved

Exchange 2007 OWA Cert issue

Posted on 2011-10-05
38
Medium Priority
?
404 Views
Last Modified: 2012-05-12
Hello,

I have recently received a certificate from a trusted authority. When I installed it, OWA would not display on the web but when I select the self assigned cert, it comes back on. In the Exchange shell, it put "Get-ExchangeCertificate" and it shows two certs. It shows the self signed cert with IP..s under service and the legit cert with ..... under service. When I select the self created cert it will show IP.WS under services.

I need OWA to work with the legit cert installed. Can someone please shine some light on this.

I am running Exchange 2007 on windows 2003 and IIS 6

Thanks for any help
0
Comment
Question by:racastillojr
  • 16
  • 15
  • 4
  • +1
38 Comments
 
LVL 10

Expert Comment

by:akhalighi
ID: 36918373
make sure in your IIS , proper certificate it associated and binded with OWA website.

check site binding ; then select https and hit edit , what SSL certificate is assigned to port 443 (https) ?
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36918383
You must assign the services you wish to this certificate.
Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36918388
you do not need to do this in IIS, but on exchange itself normally...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Author Comment

by:racastillojr
ID: 36918454
How many services are there. I read on that started with W but now I cant find it? I want to make sure I have them all availible.

0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36918467
you should only assign IIS to it if it's just for OWA...
pop3 and imap can be done too if you like
0
 
LVL 10

Expert Comment

by:akhalighi
ID: 36918485
I had to do this in IIS to work.
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36918523
I ran the command in the shell and I got an error that said The certificate with thumbprint <thumbprint> was not found. I copied it from the shell and pasted it so I not sure why it says it cant find it.
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36918559
then double check the input...
if it's listed in the Get-Cert.. then it should be there.

Also i assume you ran the Import certificate cmdlet? and generated the request using shell?
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36918588
I triple checked it.

I used the shell to request the csr using the example below.

New-ExchangeCertificate -GenerateRequest -Path c:\mail.csr -KeySize 2048 -SubjectName "c=us, s=Illinois, l=Chicago, o=companyName, cn=mail.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True

0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36918609
yes that's correct, but did you import it afterwards?
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36918656
I used the IIS certificate wizard to import the cert. Was that the correct way or should I use the shell to import it.
0
 
LVL 10

Expert Comment

by:akhalighi
ID: 36918693
Make sure the appropriate binding is there , or it won't use that certificate. it has it but it doesn't use it .

Select default web site , check site binding ; then select https and hit edit , what SSL certificate is assigned to port 443 (https) ?
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36918722
you should use the shell to import it:

    Import-ExchangeCertificate -Path C:\mydomain.cer
    Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36919570
Ok, I did the import from the shell and added services IIS,POP and IMAP. Now under service in the legit cert it says IP..S but when I use the legit cert I still cant connect to OWA.

I tried to add SMTP as a service for the legit cert after the fact and I get the following message:

Overwrite existing default SMTP certificate,< self made cert thumbprint> (expires 4/15/2016), with certificate <legit cert thumbprint> (expires 10/2/2014)
Yes, No

I'm worried that if I overwrite the working self made cert it wont work anymore if I try to go back to it if the legit cert doesn't work.

Any thoughts?
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36919609
you do not need the SMTP service under that cert.
And you say you can't connect to owa, did you reset the world wide web publishing service?
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36919625
No I didnt
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36919638
try that first, under services.msc --> restart the said service
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36919754
I restarted that service and it didn't work.
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36919793
ok and which error message do you get? when tryng to access owa?
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36919893
on IE 8 it says Internet Explorer cannot display webpage when it gets to the https part. On firefox, it says connection has been restarted would you like to try again when it gets to the https part.
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36919947
what do you mean when it gets to the https part?
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36920032
when users type in the owa url it redirects from http to https
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36920059
ok you should normally enter https://youraddress/owa

have you changed anything on the IIS side?
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36920066
No, the only thing I do is remove the legit cert and add the self made cert so it comes back online
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36920106
ok but if you look in IIS now, which one is there?
because if the SS is there, you must now replace that too
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36920126
Im not sure what you mean by SS
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36920142
Self Signed :)
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36920198
In the IIS manager, if I go into the website properties and select Directory Security to view server certs. I see 3 certs to choose from to replace the SS cert. The one I use is the one that was issued to my server and says Client Authentication under intended purpose. Now that I just noticed, the SS cert says the intended purpose is for Server Authentication and the legit cert say Client Authentication under intended purpose. Could that be the reason?
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 36920221
Could be.

Where and what kind of certificate did you get?

For exchange you should get a UMC or SAN certificate, which includes a number of CNs so you can add webmail, autodiscover, your servername, etc.

0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36920272
you can also use a normal SSL cert, and normally if the certificate is not suitable for exchange, it will tell you so during the import.
Try to bind the legit certificte to the site in IIS
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36920293
I have tried to find the Binding option in the IIS manager and cant.
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 36920350
Just right click the website owa runs on, fgo to the security Tab, then select 'server certificate'. Then just select 'replace certificate'  and choose the one you want to apply.

You can do the same steps to set it back to what it is.

You do not need to restart IIS
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 36920352
right click website->properties->security tab  *
0
 
LVL 4

Author Comment

by:racastillojr
ID: 36920439
I did the replace cert and it still wont show. When I put back the SS cert it came back on.
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 36920497
If you get an error page, contact your certificate vendor. They'll be able to guide you better.

If you get invalid certificate instead, make sure you installed root and intermediate certificates as prompted to you by the vendor
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36922500
You should indeed contact your vendor, or maybe your vendor has a esttool to see if your cert is installed correctly?
0
 
LVL 4

Accepted Solution

by:
racastillojr earned 0 total points
ID: 37317174
could not resolve. closing question
0
 
LVL 4

Author Closing Comment

by:racastillojr
ID: 37335685
Because I was not able to find a solution.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question