• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 469
  • Last Modified:

Outlook 2007 keeps reporting certificate error with new Exchange 2010 server

I have been reading solutions to this problem for a week now and I'm still not able to figure out this certifciate stuff.  My migration from WinServer2K3/Exchange2007 to WinServer2K8/Exchange 2010 had been going well until this error started popping up for every user who I moved a mailbox from old to new server.

I understand that I need a CA and I've installed it on one of my DCs.  I just don't understand the details of the connection between between the CA and the Exchange Server.

I see that my Exchange server has a default unsigned certificate and I can see the new certificate I can create on my Exchange server, but I don't get how the CA trusts this new certificate and I don't see how my workstation will trust it.  Nor do I understand how to get it into my trusted store.

OWA works like a champ, this cert error only shows up when I try to connect with my 2007 clients to the Exchange 2010 server.

Thanks in advance.
0
aarontheyoung1
Asked:
aarontheyoung1
  • 11
  • 5
1 Solution
 
madhatter5501Commented:
In Exchange you will need to create the new UCC san cert with all the domain and subdomain names you are using in your Exchange network.

Your best option is to buy the SAN cert from godaddy for $89, it is much easier for you and your users.

Depending on your environment the Enterprise CA is different, if you let me know I can point you in the right direction.

Once you get the CA cert installed you won't get that error anymore.  Exchange 2010 also requires the SAN cert to get full functionality out of your server.
0
 
aarontheyoung1Author Commented:

My environment is very simple.  One Exchange Server will be the end result.  One domain.  My Exchange 2007 server will go away after I migrate everyone.

I've two DCs and the CA is on one of them.  How does buying the cert make it easier?  $89 is pretty cheap so if you're telling me it's plug and play if I buy it, I'll be sold.

However, it'd be nice to understand what is going on.

1.  How do I generate the CA cert
2.  How do I install it on the Exchange Server?

Thanks!
0
 
aarontheyoung1Author Commented:

I have a CA Exchange Issued Certificate on the DC that is the CA.  I can open that certificate and do a copy to a file and I've created a "ExportedCert.cer" file.  Now what?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
madhatter5501Commented:
in the emc under server config, there should be an option to complete pending certificate request, a wizard will open and walk you through the process.

The reason that buying a public cert is easier is because the clients will already have the trust established with godaddy in there certificate store, using an inside ca, you will have to install the cert manually to each client.
0
 
aarontheyoung1Author Commented:

I've tried to run this wizard, but it always fails and tells me that a certificate with thumbprint <LONG THUMBPRINT> already exists.

Ah, GoDaddy is already in my Windows 7 Workstation certificate store?  When did that happen?
0
 
aarontheyoung1Author Commented:
How do I generate a new certificate request with a new thumbprint?  I'm using:

new-exchangecertificate -FriendlyName "Franklin 2010 Cert" -IncludeServerFQDN
-GenerateRequest  -PrivateKeyExportable $true

0
 
madhatter5501Commented:
happens by default, its included with the OS
0
 
aarontheyoung1Author Commented:

GoDaddy is going to cost us $89/year.  We sure would like to avoid that cost.  I thought it was a one time thing.  Can you help me with the steps to get the cert into the Exchange Server?  I can't get past this thumbprint problem.  Do I have to remove ALL certificates from the Exchange Server that are currently there?  Even my self-signed one?
0
 
aarontheyoung1Author Commented:

Well, I created a completely new certificate on my CA and selected it to map to the cert request on my Exchange server and it completed with out errors.  HOWEVER, It's status is still PENDING.  Am I getting any closer?
0
 
madhatter5501Commented:
did you run the pending request wizard in exchange?

no you don't need to remove the self-signed cert
0
 
aarontheyoung1Author Commented:

Yes, I ran the Complete Pending Request on the Exchange 2010 Server.  Finished with no more thumbprint error.   Status still shows it as "This is a pending certificate signing request"
0
 
madhatter5501Commented:
try restarting the emc
0
 
aarontheyoung1Author Commented:
No change.  Still pending.
0
 
Senthil KumarCommented:
Looks like internal URL pointing error.Try to point the internal URL  matching to the certificate.
0
 
aarontheyoung1Author Commented:
I'm not sure what you mean by "point the internal URL matching to the certificate"  The Internal URL of what?  
0
 
aarontheyoung1Author Commented:
I resolved this by getting a godaddy.com certificate and got technical support through them.
0
 
aarontheyoung1Author Commented:
None.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 11
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now