Exchange 2007 OWA Cert issue

Hello,

I have recently received a certificate from a trusted authority. When I installed it, OWA would not display on the web but when I select the self assigned cert, it comes back on. In the Exchange shell, it put "Get-ExchangeCertificate" and it shows two certs. It shows the self signed cert with IP..s under service and the legit cert with ..... under service. When I select the self created cert it will show IP.WS under services.

I need OWA to work with the legit cert installed. Can someone please shine some light on this.

I am running Exchange 2007 on windows 2003 and IIS 6

Thanks for any help
LVL 4
racastillojrAsked:
Who is Participating?
 
racastillojrAuthor Commented:
could not resolve. closing question
0
 
akhalighiCommented:
make sure in your IIS , proper certificate it associated and binded with OWA website.

check site binding ; then select https and hit edit , what SSL certificate is assigned to port 443 (https) ?
0
 
setasoujiroCommented:
You must assign the services you wish to this certificate.
Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
setasoujiroCommented:
you do not need to do this in IIS, but on exchange itself normally...
0
 
racastillojrAuthor Commented:
How many services are there. I read on that started with W but now I cant find it? I want to make sure I have them all availible.

0
 
setasoujiroCommented:
you should only assign IIS to it if it's just for OWA...
pop3 and imap can be done too if you like
0
 
akhalighiCommented:
I had to do this in IIS to work.
0
 
racastillojrAuthor Commented:
I ran the command in the shell and I got an error that said The certificate with thumbprint <thumbprint> was not found. I copied it from the shell and pasted it so I not sure why it says it cant find it.
0
 
setasoujiroCommented:
then double check the input...
if it's listed in the Get-Cert.. then it should be there.

Also i assume you ran the Import certificate cmdlet? and generated the request using shell?
0
 
racastillojrAuthor Commented:
I triple checked it.

I used the shell to request the csr using the example below.

New-ExchangeCertificate -GenerateRequest -Path c:\mail.csr -KeySize 2048 -SubjectName "c=us, s=Illinois, l=Chicago, o=companyName, cn=mail.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True

0
 
setasoujiroCommented:
yes that's correct, but did you import it afterwards?
0
 
racastillojrAuthor Commented:
I used the IIS certificate wizard to import the cert. Was that the correct way or should I use the shell to import it.
0
 
akhalighiCommented:
Make sure the appropriate binding is there , or it won't use that certificate. it has it but it doesn't use it .

Select default web site , check site binding ; then select https and hit edit , what SSL certificate is assigned to port 443 (https) ?
0
 
setasoujiroCommented:
you should use the shell to import it:

    Import-ExchangeCertificate -Path C:\mydomain.cer
    Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
0
 
racastillojrAuthor Commented:
Ok, I did the import from the shell and added services IIS,POP and IMAP. Now under service in the legit cert it says IP..S but when I use the legit cert I still cant connect to OWA.

I tried to add SMTP as a service for the legit cert after the fact and I get the following message:

Overwrite existing default SMTP certificate,< self made cert thumbprint> (expires 4/15/2016), with certificate <legit cert thumbprint> (expires 10/2/2014)
Yes, No

I'm worried that if I overwrite the working self made cert it wont work anymore if I try to go back to it if the legit cert doesn't work.

Any thoughts?
0
 
setasoujiroCommented:
you do not need the SMTP service under that cert.
And you say you can't connect to owa, did you reset the world wide web publishing service?
0
 
racastillojrAuthor Commented:
No I didnt
0
 
setasoujiroCommented:
try that first, under services.msc --> restart the said service
0
 
racastillojrAuthor Commented:
I restarted that service and it didn't work.
0
 
setasoujiroCommented:
ok and which error message do you get? when tryng to access owa?
0
 
racastillojrAuthor Commented:
on IE 8 it says Internet Explorer cannot display webpage when it gets to the https part. On firefox, it says connection has been restarted would you like to try again when it gets to the https part.
0
 
setasoujiroCommented:
what do you mean when it gets to the https part?
0
 
racastillojrAuthor Commented:
when users type in the owa url it redirects from http to https
0
 
setasoujiroCommented:
ok you should normally enter https://youraddress/owa

have you changed anything on the IIS side?
0
 
racastillojrAuthor Commented:
No, the only thing I do is remove the legit cert and add the self made cert so it comes back online
0
 
setasoujiroCommented:
ok but if you look in IIS now, which one is there?
because if the SS is there, you must now replace that too
0
 
racastillojrAuthor Commented:
Im not sure what you mean by SS
0
 
setasoujiroCommented:
Self Signed :)
0
 
racastillojrAuthor Commented:
In the IIS manager, if I go into the website properties and select Directory Security to view server certs. I see 3 certs to choose from to replace the SS cert. The one I use is the one that was issued to my server and says Client Authentication under intended purpose. Now that I just noticed, the SS cert says the intended purpose is for Server Authentication and the legit cert say Client Authentication under intended purpose. Could that be the reason?
0
 
ddiazpCommented:
Could be.

Where and what kind of certificate did you get?

For exchange you should get a UMC or SAN certificate, which includes a number of CNs so you can add webmail, autodiscover, your servername, etc.

0
 
setasoujiroCommented:
you can also use a normal SSL cert, and normally if the certificate is not suitable for exchange, it will tell you so during the import.
Try to bind the legit certificte to the site in IIS
0
 
racastillojrAuthor Commented:
I have tried to find the Binding option in the IIS manager and cant.
0
 
ddiazpCommented:
Just right click the website owa runs on, fgo to the security Tab, then select 'server certificate'. Then just select 'replace certificate'  and choose the one you want to apply.

You can do the same steps to set it back to what it is.

You do not need to restart IIS
0
 
ddiazpCommented:
right click website->properties->security tab  *
0
 
racastillojrAuthor Commented:
I did the replace cert and it still wont show. When I put back the SS cert it came back on.
0
 
ddiazpCommented:
If you get an error page, contact your certificate vendor. They'll be able to guide you better.

If you get invalid certificate instead, make sure you installed root and intermediate certificates as prompted to you by the vendor
0
 
setasoujiroCommented:
You should indeed contact your vendor, or maybe your vendor has a esttool to see if your cert is installed correctly?
0
 
racastillojrAuthor Commented:
Because I was not able to find a solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.