• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8838
  • Last Modified:

The certificate chain couldn't be built. You may be missing required intermediate certificates.

Hello,

Using SBS 2011.  I have a self-signed cert for remote.domain.net.  I also have a cert I purchased from Network Solutions for www.domain.net.  Of course, both are using port 443.  When I bind remote or www to 443, I get the errors attached.

Any help is greatly appreciated.

Thank you in advance!
Exchange-Errors-120903.pdf
0
gemccllc
Asked:
gemccllc
  • 6
  • 4
2 Solutions
 
Sushil SonawaneCommented:
Create a new certificate for the FQDN autodiscover.domain.net. Because for autodiscover purpose the host name "autodiscover" required in certificate. Microsoft outlook default find exchange server over the internet through autodiscover.domainname.net

Please make sure on the public dns the dns available "autodiscover.domain.net"

Refer below link to White Paper: Exchange 2007 Autodiscover Service. It's same for exchange 2010.

(http://technet.microsoft.com/en-us/library/bb332063%28v=exchg.80%29.aspx)
0
 
gemccllcAuthor Commented:
If I create a new certificate for the FQDN autodiscover.domain.net and then bind it to the IP address, doesn't that mean that only autodiscover will work correctly and things like remote.domain.net/OWA will not? As per the link you sent me:

In this scenario, one certificate is issued with the common name that is used as the entry point for clients that connect from the Internet, for example, mail.contoso.com. The second certificate has a common name that references the FQDN for the Autodiscover service, for example autodiscover.contoso.com. This option requires two separate Web sites and public IP addresses. The Default Web Site will host your primary Exchange features and services such as Outlook Web Access and Exchange ActiveSync while the second Web site will be used to host the Autodiscover service.

Please advise.

Thank you.
0
 
Sushil SonawaneCommented:
You can create a single certificate with mulitple SAN Name.

Ex.

autodiscover.domain.net, remote.domain.net

Please refer below article to create the SAN certificate through CA authority

(http://exchangeserverpro.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority)

OR

You can create self sign certificate with the following command.

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" -SubjectName "cn=smtp.vcdomain.com.au" -DomainName vcpsydex01,vcpsydex01.vcp.local,smtp.vcdomain.com.au,autodiscover.vcdomain.com.au -PrivateKeyExportable $True

(http://marckean.wordpress.com/2009/10/09/install-self-signed-exchange-2010-ssl-certificate/)

(http://technet.microsoft.com/en-us/library/aa998327.aspx)
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
gemccllcAuthor Commented:
Will I need to go into IIS to bind the cert?  The reason I ask is that I plan on having different types of services going through port 443 (www, owa, etc) and I do nto see the abailty to bind more than one cert per protocol/ip address.

Thanks for your help!
0
 
gemccllcAuthor Commented:
One thing I thought of to accomodate all of the services is to change remote.domian.net to www.domain.net where I already have a cert via Network Solutions.  So OWA would be www.domain.net/owa.  Exchange by default created remote.domain.net, not me.

Would that work?

Thanks for your help!
0
 
Sushil SonawaneCommented:
You have network solutions certificate. Recreate the new certificate with multiple SAN name from network solutions As following.

www.domain.net
autodiscover.domain.net
remote.domain.net

Then bind this certificate in iis. Or you can import through SBS console.

Refer below link to import third party certificate

(http://blog.lan-tech.ca/2012/03/03/sbs-20082011-renew-3rd-party-certificate/)
0
 
gemccllcAuthor Commented:
Hi,

Doesn't this constitute a wildcard SSL?

Thanks in advance.
0
 
Sushil SonawaneCommented:
You can say that but both are different conspect.

Please refer below link to understand more

(http://wiki.apache.org/httpd/UnderstandingMultiUseSSLCertificates)

Certificate type :

1) Single name certificates : Single name certificates contain only one subject name in the Subject field and are the default certificate name type.


2) Subject alternative name certificates : Subject Alternative Name certificates (SAN certificates) have one or more names in the Subject Alternative Name

Rather than adding each subject name into the SAN field of the certificate, it is convenient to have the certificate represent all potential subject names. This simplifies configuration and avoids the need to reissue certificates if additional names are added later.

3) Wildcard certificates :  Wildcard certificates use the asterisk character (*) to designate all possible subject names rather than list the names specifically. For example, rather than specifying EX1 and EX1.companyabc.com, the certificate is issued to the wildcard subject name *.companyabc.com and matches to both names (and any other host in companyabc.com!). Wildcard certificate support is being adopted slowly by operating systems, clients, and applications. There is no common agreement on how to match wildcard certificates to names, which is hindering the progress on adoption.

Please refer below link.

(http://allcomputers.us/windows_server/server-certificates-in-exchange-server-2010.aspx)
0
 
gemccllcAuthor Commented:
Three things:
 



1. Purchased a SAN SSL from GoDaddy so it could cover autodiscover. remote. www. all at the same time
 
2. Created an SRV record at the registrar
 
3. Created an SPF record at the registrar (for good measure)
0
 
gemccllcAuthor Commented:
All of the autodiscover issues were rosolved!  :)  Woohoo!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now