Exchange 2007 OWA Cert issue

Hello,

I have recently received a certificate from a trusted authority. When I installed it, OWA would not display on the web but when I select the self assigned cert, it comes back on. In the Exchange shell, it put "Get-ExchangeCertificate" and it shows two certs. It shows the self signed cert with IP..s under service and the legit cert with ..... under service. When I select the self created cert it will show IP.WS under services.

I need OWA to work with the legit cert installed. Can someone please shine some light on this.

I am running Exchange 2007 on windows 2003 and IIS 6

Thanks for any help
LVL 4
racastillojrAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

akhalighiCommented:
make sure in your IIS , proper certificate it associated and binded with OWA website.

check site binding ; then select https and hit edit , what SSL certificate is assigned to port 443 (https) ?
setasoujiroCommented:
You must assign the services you wish to this certificate.
Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"
setasoujiroCommented:
you do not need to do this in IIS, but on exchange itself normally...
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

racastillojrAuthor Commented:
How many services are there. I read on that started with W but now I cant find it? I want to make sure I have them all availible.

setasoujiroCommented:
you should only assign IIS to it if it's just for OWA...
pop3 and imap can be done too if you like
akhalighiCommented:
I had to do this in IIS to work.
racastillojrAuthor Commented:
I ran the command in the shell and I got an error that said The certificate with thumbprint <thumbprint> was not found. I copied it from the shell and pasted it so I not sure why it says it cant find it.
setasoujiroCommented:
then double check the input...
if it's listed in the Get-Cert.. then it should be there.

Also i assume you ran the Import certificate cmdlet? and generated the request using shell?
racastillojrAuthor Commented:
I triple checked it.

I used the shell to request the csr using the example below.

New-ExchangeCertificate -GenerateRequest -Path c:\mail.csr -KeySize 2048 -SubjectName "c=us, s=Illinois, l=Chicago, o=companyName, cn=mail.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True

setasoujiroCommented:
yes that's correct, but did you import it afterwards?
racastillojrAuthor Commented:
I used the IIS certificate wizard to import the cert. Was that the correct way or should I use the shell to import it.
akhalighiCommented:
Make sure the appropriate binding is there , or it won't use that certificate. it has it but it doesn't use it .

Select default web site , check site binding ; then select https and hit edit , what SSL certificate is assigned to port 443 (https) ?
setasoujiroCommented:
you should use the shell to import it:

    Import-ExchangeCertificate -Path C:\mydomain.cer
    Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
racastillojrAuthor Commented:
Ok, I did the import from the shell and added services IIS,POP and IMAP. Now under service in the legit cert it says IP..S but when I use the legit cert I still cant connect to OWA.

I tried to add SMTP as a service for the legit cert after the fact and I get the following message:

Overwrite existing default SMTP certificate,< self made cert thumbprint> (expires 4/15/2016), with certificate <legit cert thumbprint> (expires 10/2/2014)
Yes, No

I'm worried that if I overwrite the working self made cert it wont work anymore if I try to go back to it if the legit cert doesn't work.

Any thoughts?
setasoujiroCommented:
you do not need the SMTP service under that cert.
And you say you can't connect to owa, did you reset the world wide web publishing service?
racastillojrAuthor Commented:
No I didnt
setasoujiroCommented:
try that first, under services.msc --> restart the said service
racastillojrAuthor Commented:
I restarted that service and it didn't work.
setasoujiroCommented:
ok and which error message do you get? when tryng to access owa?
racastillojrAuthor Commented:
on IE 8 it says Internet Explorer cannot display webpage when it gets to the https part. On firefox, it says connection has been restarted would you like to try again when it gets to the https part.
setasoujiroCommented:
what do you mean when it gets to the https part?
racastillojrAuthor Commented:
when users type in the owa url it redirects from http to https
setasoujiroCommented:
ok you should normally enter https://youraddress/owa

have you changed anything on the IIS side?
racastillojrAuthor Commented:
No, the only thing I do is remove the legit cert and add the self made cert so it comes back online
setasoujiroCommented:
ok but if you look in IIS now, which one is there?
because if the SS is there, you must now replace that too
racastillojrAuthor Commented:
Im not sure what you mean by SS
setasoujiroCommented:
Self Signed :)
racastillojrAuthor Commented:
In the IIS manager, if I go into the website properties and select Directory Security to view server certs. I see 3 certs to choose from to replace the SS cert. The one I use is the one that was issued to my server and says Client Authentication under intended purpose. Now that I just noticed, the SS cert says the intended purpose is for Server Authentication and the legit cert say Client Authentication under intended purpose. Could that be the reason?
ddiazpCommented:
Could be.

Where and what kind of certificate did you get?

For exchange you should get a UMC or SAN certificate, which includes a number of CNs so you can add webmail, autodiscover, your servername, etc.

setasoujiroCommented:
you can also use a normal SSL cert, and normally if the certificate is not suitable for exchange, it will tell you so during the import.
Try to bind the legit certificte to the site in IIS
racastillojrAuthor Commented:
I have tried to find the Binding option in the IIS manager and cant.
ddiazpCommented:
Just right click the website owa runs on, fgo to the security Tab, then select 'server certificate'. Then just select 'replace certificate'  and choose the one you want to apply.

You can do the same steps to set it back to what it is.

You do not need to restart IIS
ddiazpCommented:
right click website->properties->security tab  *
racastillojrAuthor Commented:
I did the replace cert and it still wont show. When I put back the SS cert it came back on.
ddiazpCommented:
If you get an error page, contact your certificate vendor. They'll be able to guide you better.

If you get invalid certificate instead, make sure you installed root and intermediate certificates as prompted to you by the vendor
setasoujiroCommented:
You should indeed contact your vendor, or maybe your vendor has a esttool to see if your cert is installed correctly?
racastillojrAuthor Commented:
could not resolve. closing question

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
racastillojrAuthor Commented:
Because I was not able to find a solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.