Solved

New 3rd Party SSL Certificate Stops OWA and Activesync working

Posted on 2013-01-07
13
754 Views
Last Modified: 2013-02-08
Hi,

I have recently been asked to change the exisiting self-signed SSL Certificate on a server for a 3rd party Certificate for compliance reasons.

I have new certificates from www.networksolutions.com.

The exisiting certificate is for "mail.mydomain.com" issued by "mail.mydomain.com"

My new one if for "mail.mydomain.com" issued by Network Solutions DV Server.

I have installed the 2 other certificates (AddTrustExternalCARoot) and (NetworkSolutionsDVserverCA) to the Intermediate Certification Authorities Certificates using MMC and Certificates. As well as placing the "mail.mydomain.com" certificate into Personal.

However, as soon as i replace my existing self-signed certificate (which all works) with the new NetworkSolutions Certificate, OWA and Activesync stop working.

What am I missing? Help
0
Comment
Question by:jerseysam
  • 6
  • 6
13 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38750824
what SAN's have you included in the certificate

what services have you attached to the certificate

once you have changed it over you can use https://www.testexchangeconnectivity.com/
to check for errors
0
 
LVL 15

Author Comment

by:jerseysam
ID: 38750840
I only included our "mail.mydomain.com"

how do i attach services etc?

Shall i post the https://www.testexchangeconnectivity.com/  log?
0
 
LVL 17

Accepted Solution

by:
OriNetworks earned 250 total points
ID: 38750946
Was the self-signed cert also for mail.mydomain.com or simply mailservername? You may need to install any trusted roots that are not currently on your clients.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 15

Author Comment

by:jerseysam
ID: 38750966
Yes self-signed was exactly same (mail.mydomain.com).

How do i install trusted roots on clients and iphones etc?
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38750973
it depends on how you have your external service configured

is OWA and Active Sync pointed at the same url i.e. https://mail.mydomain.com/owa or
https://mail.mydomain.com/active-sync
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38751007
to attach services...

http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm

follow the last bit - if you assign IIS then that will cover OWA and Active Sync

if you post the log then it might be easier to see where any possible problems are
0
 
LVL 15

Author Comment

by:jerseysam
ID: 38751016
Exchange 2003 and IIS v 6.0 so dont seem to have assign services
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38751031
ahh sorry, my fault had assumed 2007 or 2010


you will probably need to do something in IIS, let me have a check its been a while since i played with 2003
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38751056
0
 
LVL 15

Author Comment

by:jerseysam
ID: 38751068
Yep.

think i need to create a new CRS request or somehting?

Seems that OWA works internally on server. Iphones do not work. OWA not working externally
0
 
LVL 15

Author Comment

by:jerseysam
ID: 38854401
I think the issue is that when i created my CRS then i may not have chosen the correct info.

In exchange my DNS says "mydomain.com" but my FQDN is "servername.mydomain.local"

What info should i use in my CRS? The self-generated certificate that works with iphones is "servername.mydomain.local"

Help
0
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 250 total points
ID: 38854532
for your certificate it should contain

external server fqdn i.e. owa.yourexteranldomain.com

as you are attaching this to your IIS service on exchange for owa you either need to include at least the following as well

internalserver.mydomain.local
netbios name
autodiscover
0
 
LVL 15

Author Comment

by:jerseysam
ID: 38854547
Yes i thought internalserver.mydomain.local is what i need, as this works correctly if i use a self-signed and generated SSL certificate.

Will need to create a new CRS and ask the 3rd party to issue a new certificate (is they will for a .local).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question