Link to home
Start Free TrialLog in
Avatar of Justin H
Justin HFlag for United States of America

asked on

sbs 2011 remote.xyz.com ssl certificate keeps popping up as invalid on clients

We have a migration that was completed from sbs 2003 to 2011 this weekend.  In order to keep things completely seamless, we wanted to use the same dns for external access as mail.xyz.com instead of the standard remote.xyz.com

We imported a valid SSL from godaddy and its working and validates when you use mail.yxz.com to access.

I have checked all the settings in the exchange management console to point to mail. instead of remote. but still the clients are poping up certificate errors because they are not valid on all 3 points.  When i view the cert its trying to use the mail.cert but its using the remote. URL.  

Anyways, i think i need to remove the remote. certs because one of them is assigned to SMTP but it will not let me in the EMC.  Any ideas on how to get this working?
Avatar of Sushil Sonawane
Sushil Sonawane
Flag of India image

Checked the exchange certificate thumprint and run the following command in exchange power shell.

Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e

Refer link : (http://technet.microsoft.com/en-us/library/aa997569(v=exchg.80).aspx)
Avatar of Manpreet SIngh Khatra
In EMC make sure that the External URL is pointing to Mail ... also make sure that the Cert is imported in IIS.

- Rancy
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I agree with RobWill :) - please try if there is any issues we can surely jump to assist you.

- Rancy
If you still face the issue after running Configure your internet address wizard, then run test-outlookwebservices | fl command in Exchange poweshell and check if it errors anywhere. If it does then provde the complete output here.
"Configure your internet address" wizard in the SBS console

Will basically provide you the following details from your SBS console.

=> autodiscover.domain.com
=> mail.domain.com
=> CAS Server
=> CAS FQDN

You'll simply need the above URL on your cert to have your folks go error free. However, in order to simplify the process - the process id defined above AND mentioned in earlier post.

Regards,
Exchange_Geek
Avatar of Justin H

ASKER

When I run the reconfigure your internet address it will remove the SSL that I have imported via godaddy and assign its own self signed.  Will I still be able to then re-import the godaddy, or do i need to rekey and reissue it?
You'll need to re-issue the cert against a new key. I think GoDaddy doesn't charge for re-issuing certs.

Regards,
Exchange_Geek
@Sushil84: The link doesn't talk about SBS, which is what is being talked about.

Regards,
Exchange_Geek
I am not certain you will need to re-key.

Running the wizard will create a new self-signed certificate but I don't believe it will replace the 3rd party cert.  Without changing the prefix you can safely run the wizard at any time with no repercussions, I have done so often.  To the best of my knowledge changing the prefix and running the wizard  will not have any ill effects either, though I have not had the need to try that.  Of course the new prefix and certificate must match but in your case you they will.

Normally installing the 3rd party certificate the 'SBS way' (see link) adds a certificate, and does not replace the existing cert.  You might have to re-associate the 3rd party cert with the appropriate sites.
http://blog.lan-tech.ca/2012/05/17/sbs-2008-2011-adding-an-ssl-certificate/
@Exchange_Geek : On SBS also it will be work.
SBS works differently, natively Microsoft has provided it wizards that help it configure - one should stick to what is provided and not mess around.

To what you have provided is industry standard for E2007 boxes - but understand this is SBS

Read the details provided by MS about the wizard.

http://technet.microsoft.com/en-us/library/cc546055(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc546059.aspx

Regards,
Exchange_Geek