• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 682
  • Last Modified:

exchange 2010 certificate pop up in outlook

Hi.  I just installed a 3rd party certificate on an exchange 2010 server for active sync, now when my clients log in they get a certificate popup.  I tried importing the cert into trusted root authorities but the they get the warning everytime they log back in.
How to I solve this?

Wes
0
hmcnasty
Asked:
hmcnasty
  • 11
  • 8
1 Solution
 
Hendrik WieseCommented:
Did you import the certificate on your primary domain controller, because that seemed to have worked for me in the past. But you have to import it on the local machine using mmc.

Follow my article up until step 7 and come back to this comment: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_8398-How-to-Deleting-a-SSL-Certificate-using-MMC.html

8. Now Right click on Personal > All Tasks > Import...
Import9. Click Next
10. Now Browse to your certificate and click next etc.
11. Give a minute or two and test again.
0
 
hmcnastyAuthor Commented:
Hi. Am I doing this on the local PCs/terminal server or the DC?

Wes
0
 
AkhaterCommented:
if you imported the 3rd party correctly then you should NOT have warning !


what names did you include in the SAN certificate ?

what is the EXACT warning ? can you share a screenshot ? is it that it is not trusted or does not match the name ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
hmcnastyAuthor Commented:
The certificate was imported properly, infact it was only imported as an active sync cert
cert-warning.docx
0
 
hmcnastyAuthor Commented:
not even sure what this has to do with a site.  there is no site, just a an outlookk 2010 client using exchange 2010 locally.
0
 
AkhaterCommented:
1. you cannot import a certificate as activesync only, if you assign it for IIS it will affect activesync/owa and outlook 2007/2010
2. your certificate was imported properly
3. the warning is clear there is no de-es.de.local in the SAN of the certificate just rekey the certificate to include this name and it will solve your issue
0
 
hmcnastyAuthor Commented:
What do you mean by "rekey" ?  
0
 
AkhaterCommented:
once you buy a certificate you should be able to issue as many times as you want as long as you are still in the validity period

1. from exchange create a new CSR to include de-es.de.local along with all other names you have
2. use this CSR to rekey the certificate at your Certificate Authority (if you have problems with that you should contact the support of your CA. I could help with godaddy because I know it well enough)
3.reimport the new certificate and enable it for IIS
0
 
hmcnastyAuthor Commented:
Ok.  it is from godaddy.  I was under the impression that I could only have 1 name per certificate
0
 
AkhaterCommented:
oh well it seems you didn't buy the correct certificate :( I am sorry about this but it looks like you will need to put some money on the table again since you cannot "upgrade" the certificate once you buy it (maybe you can ask godaddy for a refund I don't know)

in godaddy what you need to buy is a UCC or SAN certificate up to 5 SAN names and not a regular single name certificate

in your certificate include

mail.domain.com (or whatever you use for owa/activesync)
autodiscover.mail.com
de-es.de.local (guess that's the server name)
0
 
hmcnastyAuthor Commented:
Are absolutley sure about this?  Everyone I spoke with at godaddy said I had the right one (not that they are the authority on exchange)  I just want to be sure that this will work.
0
 
AkhaterCommented:
Yea you can trust me on this one :o)
0
 
hmcnastyAuthor Commented:
ok thanks  ill get this reissued.  btw - can users be in outlook while I'm doing this?  
I can't remember, when I generate the CSR I can pick the .local as the primary and then add the mail.mydomain.com
0
 
AkhaterCommented:
yes you can do it while everyone is working no prob

the primary name should be mail.mydomain.com and not the .local

make sure mail.mydomain.com is in bold and then add autodiscover and the .local
0
 
hmcnastyAuthor Commented:
ok great.  I'm gonna do the auto discover as well.  is there anything I need to know about that?
0
 
hmcnastyAuthor Commented:
Thank you!!!
0
 
AkhaterCommented:
no basically that's it, if you have any troubles during the process just update this thread
0
 
hmcnastyAuthor Commented:
oh 1 more thing. Do I jsut remove the current cert via exchange or do I do that somewhere else?

Wes
0
 
AkhaterCommented:
what do you mean by removing the certificate ? do not touch the current certificate for now, once you get the new one and you assign it to iis you can delete the old one from exchange console
0
 
hmcnastyAuthor Commented:
oh ok cool thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now