Lasareath
asked on
Need Help Configuring a 5 name SSL Cert from GoDaddy for SBS 2011
Hello Experts,
I have a new Client with a NEW SBS 2011 server I've just installed, OWA is working fine.
I just bought a 5 name UCC SSL Cert from GoDaddy and I am ready to set it up but this is my first time.
I have found this post which I am using so far:
https://www.experts-exchange.com/questions/27271497/Windows-Server-2011-SBS-Exchange-iphone-setup.html?anchorAnswerId=36418567#a36418567
It says to add these domain names to the Cert:
mail.domain.com (or whatever you configured SBS 2011 for - default is usually remote)
autodiscover.domain.com
internalservername.interna ldomain.lo cal
internalservername
sites
I have created mail.mydomain.com & autodiscover.mydomain.com to both point to my client's new server and if I ping them they resolve fine.
These two make sense to me:
internalservername.interna ldomain.lo cal
internalservername
But I don't understand what to add for sites
Also I need help entering the data into the GoDaddy's Interface since I have never used GoDaddy before and this is my first SSL Cert that I am setting up.
Thanks,
Lasareath
I have a new Client with a NEW SBS 2011 server I've just installed, OWA is working fine.
I just bought a 5 name UCC SSL Cert from GoDaddy and I am ready to set it up but this is my first time.
I have found this post which I am using so far:
https://www.experts-exchange.com/questions/27271497/Windows-Server-2011-SBS-Exchange-iphone-setup.html?anchorAnswerId=36418567#a36418567
It says to add these domain names to the Cert:
mail.domain.com (or whatever you configured SBS 2011 for - default is usually remote)
autodiscover.domain.com
internalservername.interna
internalservername
sites
I have created mail.mydomain.com & autodiscover.mydomain.com to both point to my client's new server and if I ping them they resolve fine.
These two make sense to me:
internalservername.interna
internalservername
But I don't understand what to add for sites
Also I need help entering the data into the GoDaddy's Interface since I have never used GoDaddy before and this is my first SSL Cert that I am setting up.
Thanks,
Lasareath
ASKER
When I try to request the certificate I get the following error:
You can not enter subject alt names that are the same as the primary domain name
One or more SANs is not a fully qualified domain name. You must drop the invalid SANs
and it highlights my servername
xx-fs1
You can not enter subject alt names that are the same as the primary domain name
One or more SANs is not a fully qualified domain name. You must drop the invalid SANs
and it highlights my servername
xx-fs1
ASKER
Well I submitted the request without my servername and without the servername.domainname.loca l
It wouldnt let me add those two.
It wouldnt let me add those two.
Internal domain names will not be supported for very much longer and GoDaddy won't let you buy a cert if you choose one that is beyond the cut-off date.
The sites names is related to sharepoint.
The sites names is related to sharepoint.
ASKER
OK, Thanks.
So the three i added will be fine?
mail.mydomain.com
autodiscover.mydomain.com
mydomain.com (it filled this one in it's self when I pasted in the CSR info)
So the three i added will be fine?
mail.mydomain.com
autodiscover.mydomain.com
mydomain.com (it filled this one in it's self when I pasted in the CSR info)
Well - not having installed a cert without the internal names included, can't guarantee you won't see problems.
The future of domain names (internally) is to use an external domain name - .local is being retired, so DNS adjustments may need to be made to keep everything 100% happy.
The future of domain names (internally) is to use an external domain name - .local is being retired, so DNS adjustments may need to be made to keep everything 100% happy.
ASKER
What should I do about this?
Our auto-check recognized copyrighted, trademarked, or phishing-related words in the distinguished name.
Please allow 2-24 hours for us to manually review your domain authorization. If we require more information, we'll notify you by email.
You may also drop the following flagged SAN(s) to prevent your request from being denied.
autodiscover.my-domain.com my-domain.com
Additional questions? Contact technical support at 480.505.8852.
They want me to delete those domain names. Should I be doing this?, Or should I call them?
Our auto-check recognized copyrighted, trademarked, or phishing-related words in the distinguished name.
Please allow 2-24 hours for us to manually review your domain authorization. If we require more information, we'll notify you by email.
You may also drop the following flagged SAN(s) to prevent your request from being denied.
autodiscover.my-domain.com
Additional questions? Contact technical support at 480.505.8852.
They want me to delete those domain names. Should I be doing this?, Or should I call them?
Do you own the domain name you are buying a certificate for?
Are the names copyrighted, trademarked or using phishing related words?
Are the names copyrighted, trademarked or using phishing related words?
ASKER
We own the domain name. But it is hosted with 1and1 and the Cert is through goDaddy
This is a CPA office. It has the last name of the two partners and financial.com at the end.
Maybe they consider financial phishing ?
This is a CPA office. It has the last name of the two partners and financial.com at the end.
Maybe they consider financial phishing ?
Doesn't sound phishy! to me.
I'd be giving them a call if I were you.
Alan
I'd be giving them a call if I were you.
Alan
ASKER
If they won't let me add the internal domain names anymore what can I do?
Should I call them and demand that they add them?
Or will I be fine without the internal domain names?
I really need the iPhones to work. The OWA they really don't care about clicking continue to the
Well..... I just logged into their email and I they received this email:
We have successfully completed the authentication process and issued your SSL certificate for the domain:
Now I just need to import it?
Should I call them and demand that they add them?
Or will I be fine without the internal domain names?
I really need the iPhones to work. The OWA they really don't care about clicking continue to the
Well..... I just logged into their email and I they received this email:
We have successfully completed the authentication process and issued your SSL certificate for the domain:
Now I just need to import it?
Download, import and enable for SMTP,POP3,IIS and IMAP
ASKER
Thanks, Logging in now to do that.
ASKER
There are two files included with their zip file I downloaded.
mail.my-domainfinancial.co m.crt & gd_iis_intermediates.p7b
What is the 2nd file and what is a site seal?
I imported the first file and it said it worked. I'm about to try the iPhone setup.
mail.my-domainfinancial.co
What is the 2nd file and what is a site seal?
I imported the first file and it said it worked. I'm about to try the iPhone setup.
ASKER
Not sure how to "enable for SMTP,POP3,IIS and IMAP"
But it works!!!
I added my iphone to one of their email accounts and it worked. the only thing that the iphone tried to do is add remote.mydomain.com as the server name but I changed that to mail.mydomain.com and it worked!!!
I guess I'm all done?
But it works!!!
I added my iphone to one of their email accounts and it worked. the only thing that the iphone tried to do is add remote.mydomain.com as the server name but I changed that to mail.mydomain.com and it worked!!!
I guess I'm all done?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, Will I have to go the approval process again with goDaddy?
They are now getting this error on their desktops
remote.jpg
They are now getting this error on their desktops
remote.jpg
That is because you don't have remote.domain.com in the cert names.
Either re-key it or re-configure the server using the wizard.
Probably easier to re-run the wizard and click on the Link below the part where you add the domain name, which allows you to change remote to mail.
Either re-key it or re-configure the server using the wizard.
Probably easier to re-run the wizard and click on the Link below the part where you add the domain name, which allows you to change remote to mail.
ASKER
I already re-submitted the cert with remote.
I guess I have to add that to my registar and point it to my static ip as I did with auto discover ?
I guess I have to add that to my registar and point it to my static ip as I did with auto discover ?
Correct.
ASKER
Ok. Did that. Waiting for godaddy to re-approve the cert.
Do I just import the cert again in the server or do I need to delete the one I imported this morning first?
Do I just import the cert again in the server or do I need to delete the one I imported this morning first?
You will need to delete the existing one, import the new one, repair the certificate to add the private key, then enable it.
A bit complicated, but easily done with the right commands.
To repair the certificate, run:
certutil repairstore my "AB CD EF GH IJ KL"
The "AB CD EF GH IJ KL" part is the serial number of the new certificate.
Full instructions here:
http://support.microsoft.com/kb/889651
A bit complicated, but easily done with the right commands.
To repair the certificate, run:
certutil repairstore my "AB CD EF GH IJ KL"
The "AB CD EF GH IJ KL" part is the serial number of the new certificate.
Full instructions here:
http://support.microsoft.com/kb/889651
ASKER
I went through those steps fine but something is not correct.
When I look at all the certs on the server there is a seld assigned one in the list named remote.mydomain.com and the new updated cert from godaddy does not include remote.mydomain.com at all.
If I look at the Alt names that are included in the cert there is no remote.mydomain.com
I guess I need to call Godaddy?
When I look at all the certs on the server there is a seld assigned one in the list named remote.mydomain.com and the new updated cert from godaddy does not include remote.mydomain.com at all.
If I look at the Alt names that are included in the cert there is no remote.mydomain.com
I guess I need to call Godaddy?
ASKER
I re-ran the Domain name wizard and clicked advanced settings and changed remote to mail
Then I re-imported the Godaddy Cert and everything works perfectly, OWA, iPhone & Outlook on the user's desktops.
Thanks!
Then I re-imported the Godaddy Cert and everything works perfectly, OWA, iPhone & Outlook on the user's desktops.
Thanks!
ASKER
On my next SBS 2011 server I am going to do the following:
set up my domain name with mail instead of remote, mail.mydomain.com/owa is shorter to type out than remote.mydomain.com/owa
create an UCC SSL cert with godaddy with the following names:
autodiscover.mydomain.com
mail.mydomain.com
mydomain.com
import the cert and be done with it.
Thanks!
set up my domain name with mail instead of remote, mail.mydomain.com/owa is shorter to type out than remote.mydomain.com/owa
create an UCC SSL cert with godaddy with the following names:
autodiscover.mydomain.com
mail.mydomain.com
mydomain.com
import the cert and be done with it.
Thanks!
ASKER
Today they are getting this:
There is a problem with this website's security certificate.
This organization's certificate has been revoked.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
I'm going to try to upload the cert.
There is a problem with this website's security certificate.
This organization's certificate has been revoked.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
I'm going to try to upload the cert.
ASKER
Alan,
What does this mean?
You can now use the IIS MMC to assign the recovered keyset (certificate) to the Web site that you want.
Do I need to do this for OWA?
I re-ran your steps above with updating the serial number of my latest Cert file. But I still get the errors.
I'm going to see if I can reboot the server.
Lasareath
What does this mean?
You can now use the IIS MMC to assign the recovered keyset (certificate) to the Web site that you want.
Do I need to do this for OWA?
I re-ran your steps above with updating the serial number of my latest Cert file. But I still get the errors.
I'm going to see if I can reboot the server.
Lasareath
What have you done exactly from the point of installing the original certificate to where you are now?
ASKER
Right now OWA works but I get the normal warning that there is a Certificate Error.
If I click the certificate it shows me that it's the server generated one and not the godaddy cert.
Yesterday I re-ran the Setup my internet Address and changed the prefix from remote to mail.
And then I re-ran the import for the godaddy cert and updated the certutil command from above and it said it was successful.
If I look in Certifcates now I see two mail.mydomain.com certs one from godaddy and one that was generated from the server.
If I click the certificate it shows me that it's the server generated one and not the godaddy cert.
Yesterday I re-ran the Setup my internet Address and changed the prefix from remote to mail.
And then I re-ran the import for the godaddy cert and updated the certutil command from above and it said it was successful.
If I look in Certifcates now I see two mail.mydomain.com certs one from godaddy and one that was generated from the server.
ASKER
I think I'm missing something. One more step?
The URL you gave me is from 2007, Is there a more up to date certutil update command for IIS7 and Exchange 2010?
The URL you gave me is from 2007, Is there a more up to date certutil update command for IIS7 and Exchange 2010?
After you imported the cert, then repaired it, did you install / assign it to SMTP,POP3,IIS and IMAP?
ASKER
I did not do the second part. How do I proceed?
Thanks!
Thanks!
Run get-exchangecertificate from the Exchange Management Shell, copy the relevant thumbprint from the correct SSL certificate and paste it into the next command:
Enable-ExchangeCertificate -thumbprint {insert the copied thumbprint here removing the brackets} -Services IIS,POP,IMAP,SMTP
Enable-ExchangeCertificate
ASKER
I get an error and I don't know how to proceed.
error.jpg
error.jpg
Not seen that one before. I'd lean towards saying yes.
Who generated the other mail.domain.com certificate that is listed?
Who generated the other mail.domain.com certificate that is listed?
ASKER
that was generated when I re-ran the domain name wizard and changed remote.mydomain.com to mail.mydomain.com yesterday.
Ah - okay. So say yes then please.
ASKER
seems like it worked. Something is still a little off.
If I go to mydomainfinancial.com/owa it quickly loads the log in screen of OWA with the godaddy cert.
If I go to mail.mydomainfinancial.com /owa it just hangs
If I go to mydomainfinancial.com/owa it quickly loads the log in screen of OWA with the godaddy cert.
If I go to mail.mydomainfinancial.com
ASKER
iphones are fine.
Run the activesync test on https://testexchangeconnectivity.com and see what the results are (please post the output obscuring the domain / IP etc).
Does mail.yourdomain.com resolve to your IP address?
ASKER
Yes, so does mydomain.com and remote.mydomain.com
mail.mydomain.com/owa was working fine two days ago. I'm pretty sure it died after I re-ran the domain wizard
mail.mydomain.com/owa was working fine two days ago. I'm pretty sure it died after I re-ran the domain wizard
Okay - and when you ran the wizard you used mail.domain.com instead of the usual remote.domain.com?
Have you rebooted the server lately? Might be worth a reboot before digging further.
Have you rebooted the server lately? Might be worth a reboot before digging further.
ASKER
I rebooted this morning after installing 20 updates. I can again right now
ASKER
Ok Well I rebooted. Everything seems to work OK even tough mail.mydomain.com does not.
I told everyone at the office to just use mydomainfinancial.com/owa to get their email from now on.
If something breaks or does not work then I'll worry about it.
Thanks Again for all your help Alan.
Lasareath
I told everyone at the office to just use mydomainfinancial.com/owa to get their email from now on.
If something breaks or does not work then I'll worry about it.
Thanks Again for all your help Alan.
Lasareath
No problems - hope all is plain sailing from now on.
Alan
Alan
ASKER
Alan,
The Crazy thing is that mail.mydomain.com/owa starting working again!
I don't understand but I don't really care since they are paying the final payment tomorrow!
Thanks!
Lasareath
The Crazy thing is that mail.mydomain.com/owa starting working again!
I don't understand but I don't really care since they are paying the final payment tomorrow!
Thanks!
Lasareath
Oh well - if it ain't broke, don't fix it!
Glad it is working again - hope it stays that way.
Best wishes
Alan
Glad it is working again - hope it stays that way.
Best wishes
Alan
ASKER
It says this:
Subject Alt Names - 4 of 5 domains remaining
No domains added.
Is one of the domains already added by default?