Exchange 2010 certificate error

Posted on 2012-08-31
Last Modified: 2012-09-26
I have a 2010 Exchange server.

Intenally when I open outlook I get the following error:

The name on the security certificate is invalid or does not match the name of the site.

I go to and it tells me:  Connectivity Test Successful with Warnings

One such warning looks like it may be related but I am not sure how to proceed:

Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.

Test Steps

ExRCA is attempting to build certificate chains for certificate, OU=Domain Control Validated,

One or more certificate chains were constructed successfully.

Additional Details

Analyzing the certificate chains for compatibility problems with versions of Windows.

Potential compatibility problems were identified with some versions of Windows.

Additional Details

ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Any thoughts or direction??
Question by:HDM
    LVL 63

    Accepted Solution

    All that means is that for full certificate compliance, the WINDOWS workstations need to have a root certificate update. If the machines are being fully patched then this isn't an issue. I think the root certificate update in question is from 2005.

    That will NOT be the cause of your internal error.
    The reason for your internal error will be one of three things, you need to see what reason the certificate is failing on. The primary reason is a single name SSL for say but the relevant changes haven't been made in Exchange to use that host name.


    Author Comment

    How would I assign this name in exchange??
    LVL 37

    Assisted Solution

    by:Adam Brown
    The error is due to you using a certificate that does not have your internal url set on it. For this, you would configure your internal URLs for exchange to match what you have on the certificate.  has a powershell script that will help you set the InternalURLs for all of your exchange virtual directories. When you do this, you should only access Exchange using the url you set with the script.
    LVL 58

    Assisted Solution


    As Simon has already discussed, there could be many reasons for this issue.

    What name(s) are listed on your commercial SSL certificate which you have installed?

    The most common cause I come across for issues of this nature are setups which use a single-name (as already mentioned) or a SAN certificate which just lists the external names in instances where the internal AD domain does not match the external AD domain (i.e. and are listed).

    While the latter is my preferred approach and the one documented out in Technet (and also used by Microsoft Corporate IT), it does require configuration changes in Exchange to the URLs and URLs handed out for internal clients to access the Autodiscover service to ensure access is via one of the FQDNs which is listed on your certificate - and will therefore avoid certificate warnings.

    You can make changes to all the virtual directories which you need to worry about in the Exchange Management Console, under the Server Configuration > Client Access node. You will see various tabs for each server which show the various virtual directories; editing the properties exposes the InternalURL and ExternalURL values. For any access using an HTTPS secured URL, the domain used for access must be listed on your SSL certificate.

    For modifying the value on the Autodiscover Service Connection Point (SCP), which is used by internal, domain-joined Outlook clients, you will need to use the management shell:

    Set-ClientAccessServer <Server Name> -AutodiscoverServiceInternalUri

    where is a valid name as listed on the SSL certificate.

    In addition, you will most likely need to configure split DNS to allow the and records to be resolved to the internal IP address of your Client Access Server(s). This will depend on your firewall and current DNS situation, but in any event, it is a wise idea to ensure a loss of ISP connectivity to the Internet does not cause further hiccups with internal email through being unable to resolve the public names on the nameservers for your public domain.


    Author Comment

    Sorry, I got distracted for a few.

    I will check these items and report back.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Set OWA language and time zone in Exchange for individuals, all users or per database.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates‚Ķ

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now