phucdk
asked on
Exchange 2013 certificates invalid
Hi Experts,
My Exchange environment has been migrated from 2010 to 2013, I have purchased a trusted certificate, imported it to new Exchange 2013 but the status shows as Invalid.
When users access from outside to OWA, the certificate shows green and there is nothing wrong with it.
Could you please advise where should I look to troubleshoot this problem? Thank you.
Regards,
phucdk
My Exchange environment has been migrated from 2010 to 2013, I have purchased a trusted certificate, imported it to new Exchange 2013 but the status shows as Invalid.
When users access from outside to OWA, the certificate shows green and there is nothing wrong with it.
Could you please advise where should I look to troubleshoot this problem? Thank you.
Regards,
phucdk
It could be possible that the Exchange server can't verify the root certificates. After you installed the trusted certificated, did you also import the root certificates?
ASKER
No I did not, I have googling around and saw people mention about it but I don't know how to import the root certificates.
Could you please show me in steps how should I do it? Thank you
Could you please show me in steps how should I do it? Thank you
Where did you purchase your certificates?
And what kind of certificate did you buy?
Comodo? Thawte?
Comodo? Thawte?
ASKER
well..I am not sure I understand what do you mean. what I did was created a selfsign cert from my Exchange IIS and copy the contain of the self-sign cert then go to cheapSSL.com and generated a "trusted" certificate from my self-sign CERT
On cheapSSL you had to select a specific kind of certificate. Do you remember the name of the certificate? Or, please login to cheapssl and look what you have purchased.
ASKER
I see in my certificate information, I can see said
Issued to: myowa.mydomain.com
Issued by: EssentialSSL CA
when I click to Issue statement, it links to
http://www.comodo.com/about/comodo-agreements.php
Issued to: myowa.mydomain.com
Issued by: EssentialSSL CA
when I click to Issue statement, it links to
http://www.comodo.com/about/comodo-agreements.php
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your answer Nazg82. Before I start doing import cert. I would like to ask if root certificate is my purchase cert and intermediate certificates is the one I download from the link?
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=20&pcid=1&nav=0,1
Thank you.
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=20&pcid=1&nav=0,1
Thank you.
Hi,
No, root and intermediate certificates are not your purchased certificate.
So you have to download the root and intermediate certificates. You've already installed your purchased certificate.
No, root and intermediate certificates are not your purchased certificate.
So you have to download the root and intermediate certificates. You've already installed your purchased certificate.
ASKER
Oh, I see now. In the link there are root cert as well. Thank you.
ASKER
Hi,
I have just followed your instruction but after adding the Root(AddTrustExternalCARoo
Then I restart my Exchange Server 2013. Login to ECP, I still see the status of the owa.domain.com still say invalid. :-SS
Any idea? Please help, thanks
Regards,
phucdk
I have just followed your instruction but after adding the Root(AddTrustExternalCARoo
Then I restart my Exchange Server 2013. Login to ECP, I still see the status of the owa.domain.com still say invalid. :-SS
Any idea? Please help, thanks
Regards,
phucdk
ASKER
Anyone? Could you please give me a hint how to solve this problem? What did I miss here? what else should I try? Thank you.
Could you please verify if all of your internal and external virtual directories are pointing to owa.domain.com?
Some extra info how you can configure the virtual directories.
http://geekswithblogs.net/marcde/archive/2013/08/03/exchange-2013-configuring-the-virtual-directories.aspx
Some extra info how you can configure the virtual directories.
http://geekswithblogs.net/marcde/archive/2013/08/03/exchange-2013-configuring-the-virtual-directories.aspx
ASKER
Just login ECP 2013. In Servers category>>virtual directories>> ECP, EWS, Microsoft-Server-Active Sync,OAB, OAW. All of these are pointed to owa.domain.com, both internal and external
ASKER
I don't know if this give you more info to help me. I have just logged in exchange 2013, in IIS Manager, in Server Certificates, I open the certificate owa.mydomain.com
In Certification Path, it has the tree structure like this
USER Trust> UTN - DATACorp SGC >COMODO Certification Authority> EssentialSSL CA> owa.mydomain.com
In Certification Path, it has the tree structure like this
USER Trust> UTN - DATACorp SGC >COMODO Certification Authority> EssentialSSL CA> owa.mydomain.com
Is there more info at the page where Exchange shows that the certificate is invalid?
ASKER
In the ECP 2013 /Servers / Certificates page, there are
- Microsoft Exchnage Server Auth certificate ---------------------statu
- Microsoft Exchange --------------------------
- owa.mydomain.com----------
- WMSVC---------------------
In the mean time, could you please see this page below
http://social.technet.microsoft.com/Forums/exchange/en-US/fbace6c2-4f1f-475a-be3c-bcadb8a9dd7a/exchange-2013-trusted-certificate-invalid?forum=exchangesvrgeneral
Should I install "CA cert" like in the link said to make this work ?
- Microsoft Exchnage Server Auth certificate ---------------------statu
- Microsoft Exchange --------------------------
- owa.mydomain.com----------
- WMSVC---------------------
In the mean time, could you please see this page below
http://social.technet.microsoft.com/Forums/exchange/en-US/fbace6c2-4f1f-475a-be3c-bcadb8a9dd7a/exchange-2013-trusted-certificate-invalid?forum=exchangesvrgeneral
Should I install "CA cert" like in the link said to make this work ?
Did you create the Certificate request from the Exchange 2013 server?
ASKER
Yes, I did, is there any way to verify this?
ASKER
Well, I think I did choose Exchange 2013.
in Server Certificates page, I can see Microsoft Exchange: Expiration Date is 10/10/2018
and owa.mydomain.com: Expiration Date is 10/11/2018
Microsoft Exchnage Server Auth certificate : Expire 9/14/2018
Microsoft Exchnage Server Auth certificate : Expire 10/8/2023
in Server Certificates page, I can see Microsoft Exchange: Expiration Date is 10/10/2018
and owa.mydomain.com: Expiration Date is 10/11/2018
Microsoft Exchnage Server Auth certificate : Expire 9/14/2018
Microsoft Exchnage Server Auth certificate : Expire 10/8/2023
Did you create your certificate like this?
http://www.digicert.com/csr-creation-microsoft-exchange-2013.htm
http://www.digicert.com/csr-creation-microsoft-exchange-2013.htm
ASKER
Hi,
According to this link
http://www.entrust.net/knowledge-base/technote.cfm?tn=8351
it gives instruction like you said but if you look close to this guide, I can see they point to
Check the folder Intermediate Certification Authorities\Certificates (Should I import intermediate certificate here)
and import the root certificate in
Trusted Root Certification Authorities\Certificates
instead of importing both intermediate and root certificate underTrusted Root Certification Authorities\Certificates
What do you think?
According to this link
http://www.entrust.net/knowledge-base/technote.cfm?tn=8351
it gives instruction like you said but if you look close to this guide, I can see they point to
Check the folder Intermediate Certification Authorities\Certificates (Should I import intermediate certificate here)
and import the root certificate in
Trusted Root Certification Authorities\Certificates
instead of importing both intermediate and root certificate underTrusted Root Certification Authorities\Certificates
What do you think?
Yes, that could be it, please try.
But did you create the CSR from Exchange 2013?
But did you create the CSR from Exchange 2013?
ASKER
Did you create your certificate like this?
http://www.digicert.com/csr-creation-microsoft-exchange-2013.htm
No, I did not. I have created via Exchange 2013 IIS Manager. In Server Certificates page, I choose Microsoft Exchange and create Certificate Request from here
http://www.digicert.com/csr-creation-microsoft-exchange-2013.htm
No, I did not. I have created via Exchange 2013 IIS Manager. In Server Certificates page, I choose Microsoft Exchange and create Certificate Request from here
ASKER
Hi,
I have just reissued the certificate and imported to my exchange 2013, still said invalid. I have been live chat with cheapssl.com support and they send me the link with Root and Intermediate cert base on my order. Then I have gone through adding Root and Intermediate certificate to MMC /certificate .After that, I also restarted my exchange server. The problem is still exist, I don't know what should I do now.
Please give me advise to solve this problem. Thank you.
Regards,
Phucdk
I have just reissued the certificate and imported to my exchange 2013, still said invalid. I have been live chat with cheapssl.com support and they send me the link with Root and Intermediate cert base on my order. Then I have gone through adding Root and Intermediate certificate to MMC /certificate .After that, I also restarted my exchange server. The problem is still exist, I don't know what should I do now.
Please give me advise to solve this problem. Thank you.
Regards,
Phucdk
Hi,
this issue is very complex. Still battling the details.
We frequently use EssentialSSL certificates. I now have 2 servers where it's fine - do note - it's only exchange that's complaining. The 3rd server, where exchange is complaining thus, passes all SSL tests (sslanalyzer from comodo, IE 6 through 10, firefox multiple versions and chrome multiple versions - it's *definitely* valid).
The issue seems to stem from the certification path. EssentialSSL has multiple valid possible chains. On the 2 servers where it works the path is (viewed from chrome by going to owa site)
AddTrust External Root
UTN-USERFirst-Hardware
COMODO Certification Authority
EssentialSSL CA
mail.customer.com
On the server where it doesn't work the path is:
UTN DATACorp SGC Root CA (<- available as CA (for example pre-installed in Chrome) and as intermediate in which case the AddTrust External Root is the CA again)
COMODO Certification Authority
EssentialSSL CA
mail.customer.com
On all 3 servers the UTN DATACorp SGC Root CA certificates exist in the same folders - it's not choosing the other path on the other 2 servers because they're not there thus. I can't force it to take a specific chain from what I see. There's at least 3 or 4 valid validation paths due to several possible intermediates leading up to AddTrust External Root, browsers have no issues with these multiple paths, or so it seems, but exchange definitely seems to puke on it.
The other chains/paths are in the cert stores as well. This is very frustrating/annoying.
Any ideas? I've been messing around with the cert stores on the other servers for hours before it worked. Hoping for a faster approach that'll work without much hassle.
this issue is very complex. Still battling the details.
We frequently use EssentialSSL certificates. I now have 2 servers where it's fine - do note - it's only exchange that's complaining. The 3rd server, where exchange is complaining thus, passes all SSL tests (sslanalyzer from comodo, IE 6 through 10, firefox multiple versions and chrome multiple versions - it's *definitely* valid).
The issue seems to stem from the certification path. EssentialSSL has multiple valid possible chains. On the 2 servers where it works the path is (viewed from chrome by going to owa site)
AddTrust External Root
UTN-USERFirst-Hardware
COMODO Certification Authority
EssentialSSL CA
mail.customer.com
On the server where it doesn't work the path is:
UTN DATACorp SGC Root CA (<- available as CA (for example pre-installed in Chrome) and as intermediate in which case the AddTrust External Root is the CA again)
COMODO Certification Authority
EssentialSSL CA
mail.customer.com
On all 3 servers the UTN DATACorp SGC Root CA certificates exist in the same folders - it's not choosing the other path on the other 2 servers because they're not there thus. I can't force it to take a specific chain from what I see. There's at least 3 or 4 valid validation paths due to several possible intermediates leading up to AddTrust External Root, browsers have no issues with these multiple paths, or so it seems, but exchange definitely seems to puke on it.
The other chains/paths are in the cert stores as well. This is very frustrating/annoying.
Any ideas? I've been messing around with the cert stores on the other servers for hours before it worked. Hoping for a faster approach that'll work without much hassle.