We help IT Professionals succeed at work.

Exchange 2010 - Local Outlook 2010 users are being prompted with cert error

J C
J C used Ask the Experts™
on
I recently migrated a client to exchange 2012. I purchased a certificate and installed it. External access to the server is fine, no cert errors. The problem is that "server.myclient.local" is how the server resolves internally and that name does FQDN does not match that of the certificate. Do I need to rekey the certificate to include the internal FQDN as well? What are the steps to do that? Any help is appreciated.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
J C

Author

Commented:
*exchange 2010 sorry
You have to order a SAN certificate which lists the FQDN in the subject alternate name field.

Don't have to use this site, but it has some information on the SAN certs.
http://www.digicert.com/ssl-support/exchange-2010-san-names.htm
Domain-joined Outlook 2007 clients were designed to ignore the first validity check. This meant that we wouldn’t get any certificate errors in Outlook 2007 even though a self-signed certificate (created by Exchange 2007 setup) was used.
 
With Outlook 2010 this is no longer the case. You see with Outlook 2010 the Outlook team decided that the default behavior should be that Outlook always warn the end user if a self-signed certificate is used.
 
What does this mean to you? Probably not much since it’s always recommended to use certificates issued by your internal PKI or a public certificate authority. Anyway this is good to know in case you end up in a situation where you see Outlook 2007 and Outlook 2010 behavior is different when it comes to deployments where Exchange 2007 or 2010 uses self-signed certificates.

http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

You can actually use Internal CA which is very easy to setup

Just install the CA from Windows Server, Issue a certificate for your Internal Exchange Server. The internal CA will automatically adds into clients trusted certificate store
J C

Author

Commented:
Sirreal45 was exactly right and I awarded sanjaykumar_p for the additional helpful information. Thanks a lot