Exchange 2013 certificates invalid

Hi Experts,

My Exchange environment has been migrated from 2010 to 2013, I have purchased a trusted certificate, imported it to new Exchange 2013 but the status shows as Invalid.

When users access from outside to OWA, the certificate shows green and there is nothing wrong with it.

Could you please advise where should I look to troubleshoot this problem? Thank you.

Regards,
phucdk
phucdkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nazg82Commented:
It could be possible that the Exchange server can't verify the root certificates. After you installed the trusted certificated, did you also import the root certificates?
0
phucdkAuthor Commented:
No I did not, I have googling around and saw people mention about it but I don't know how to import the root certificates.

Could you please show me in steps how should I do it? Thank you
0
nazg82Commented:
Where did you purchase your certificates?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

phucdkAuthor Commented:
0
nazg82Commented:
And what kind of certificate did you buy?
Comodo? Thawte?
0
phucdkAuthor Commented:
well..I am not sure I understand what do you mean. what I did was created a selfsign cert from my Exchange IIS and copy the contain of the self-sign cert then go to cheapSSL.com and generated a "trusted" certificate from my self-sign CERT
0
nazg82Commented:
On cheapSSL you had to select a specific kind of certificate. Do you remember the name of the certificate? Or, please login to cheapssl and look what you have purchased.
0
phucdkAuthor Commented:
I see in my certificate information, I can see said

Issued to:  myowa.mydomain.com
Issued by: EssentialSSL CA

when I click to Issue statement, it links to
http://www.comodo.com/about/comodo-agreements.php
0
nazg82Commented:
Okay, so it's a comodo certificate.
Please download the root and intermediate certificates from:
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=20&pcid=1&nav=0,1

To add certificates to the Trusted Root Certification Authorities store.
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates,and then click Add.
4. Under This snap-in will always manage certificates for, click Computer account, and then click Next.
5. Click Local computer, and click Finish.
6. If you have no more snap-ins to add to the console, click OK.
7. In the console tree, double-click Certificates.
8. Right-click the Trusted Root Certification Authorities store.
9. Click Import to import the certificates and follow the steps in the Certificate Import Wizard. First you import the root certificate. Then import the intermediate certifcates.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
phucdkAuthor Commented:
Thank you for your answer Nazg82. Before I start doing import cert. I would like to ask if root certificate is my purchase cert and intermediate certificates is the one I download from the link?
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=20&pcid=1&nav=0,1

Thank you.
0
nazg82Commented:
Hi,

No, root and intermediate certificates are not your purchased certificate.
So you have to download the root and intermediate certificates. You've already installed your purchased certificate.
0
phucdkAuthor Commented:
Oh, I see now. In the link there are root cert as well. Thank you.
0
phucdkAuthor Commented:
Hi,

I have just followed your instruction but after adding the Root(AddTrustExternalCARoot) and intermediate (EssentialSSLCA), the process of adding the 2 certificate you mention was successfully, thenI restart IIS (but not succeed)

Then I restart my Exchange Server 2013. Login to ECP, I still see the status of the owa.domain.com still say invalid.  :-SS

Any idea? Please help, thanks

Regards,
phucdk
0
phucdkAuthor Commented:
Anyone? Could you please give me a hint how to solve this problem? What did I miss here? what else should I try? Thank you.
0
nazg82Commented:
Could you please verify if all of your internal and external virtual directories are pointing to owa.domain.com?

Some extra info how you can configure the virtual directories.
http://geekswithblogs.net/marcde/archive/2013/08/03/exchange-2013-configuring-the-virtual-directories.aspx
0
phucdkAuthor Commented:
Just login ECP 2013. In Servers category>>virtual directories>> ECP, EWS, Microsoft-Server-Active Sync,OAB, OAW. All of these are pointed to owa.domain.com, both internal and external
0
phucdkAuthor Commented:
I don't know if this give you more info to help me. I have just logged in exchange 2013, in IIS Manager, in Server Certificates, I open the certificate owa.mydomain.com

In Certification Path, it has the tree structure like this
USER Trust> UTN - DATACorp SGC >COMODO Certification Authority> EssentialSSL CA> owa.mydomain.com
0
nazg82Commented:
Is there more info at the page where Exchange shows that the certificate is invalid?
0
phucdkAuthor Commented:
In the ECP 2013 /Servers / Certificates page, there are
- Microsoft Exchnage Server Auth certificate ---------------------status: Valid
- Microsoft Exchange -----------------------------------------------------status: Valid
- owa.mydomain.com------------------------------------------------------status: Invalid
- WMSVC------------------------------------------------------------------------status: Valid

In the mean time, could you please see this page below
http://social.technet.microsoft.com/Forums/exchange/en-US/fbace6c2-4f1f-475a-be3c-bcadb8a9dd7a/exchange-2013-trusted-certificate-invalid?forum=exchangesvrgeneral

Should I install "CA cert" like in the link said to make this work ?
0
nazg82Commented:
Did you create the Certificate request from the Exchange 2013 server?
0
phucdkAuthor Commented:
Yes, I did, is there any way to verify this?
0
phucdkAuthor Commented:
Well, I think I did choose Exchange 2013.

in Server Certificates page, I can see Microsoft Exchange: Expiration Date is 10/10/2018
and owa.mydomain.com: Expiration Date is 10/11/2018

Microsoft Exchnage Server Auth certificate : Expire 9/14/2018
Microsoft Exchnage Server Auth certificate  : Expire 10/8/2023
0
nazg82Commented:
Did you create your certificate like this?
http://www.digicert.com/csr-creation-microsoft-exchange-2013.htm
0
phucdkAuthor Commented:
Hi,

According to this link
http://www.entrust.net/knowledge-base/technote.cfm?tn=8351

it gives instruction like you said but if you look close to this guide, I can see they point to
Check the folder Intermediate Certification Authorities\Certificates (Should I import intermediate certificate here)

and import the root certificate in
Trusted Root Certification Authorities\Certificates

instead of importing both intermediate and root certificate underTrusted Root Certification Authorities\Certificates

What do you think?
0
nazg82Commented:
Yes, that could be it, please try.
But did you create the CSR from Exchange 2013?
0
phucdkAuthor Commented:
Did you create your certificate like this?
http://www.digicert.com/csr-creation-microsoft-exchange-2013.htm


No, I did not. I have created via Exchange 2013 IIS Manager. In Server Certificates page, I choose Microsoft Exchange and create Certificate Request from here
0
phucdkAuthor Commented:
Hi,

I have just reissued the certificate and imported to my exchange 2013, still said invalid. I have been live chat with cheapssl.com support and they send me the link with Root and Intermediate cert base on my order. Then I have gone through adding Root and Intermediate certificate to MMC /certificate .After that,  I also restarted my exchange server. The problem is still exist, I don't know what should I do now.

Please give me advise to solve this problem. Thank you.

Regards,
Phucdk
0
freaky_NLCommented:
Hi,

this issue is very complex. Still battling the details.

We frequently use EssentialSSL certificates. I now have 2 servers where it's fine - do note - it's only exchange that's complaining. The 3rd server, where exchange is complaining thus, passes all SSL tests (sslanalyzer from comodo, IE 6 through 10, firefox multiple versions and chrome multiple versions - it's *definitely* valid).

The issue seems to stem from the certification path. EssentialSSL has multiple valid possible chains. On the 2 servers where it works the path is (viewed from chrome by going to owa site)

AddTrust External Root
UTN-USERFirst-Hardware
COMODO Certification Authority
EssentialSSL CA
mail.customer.com

On the server where it doesn't work the path is:

UTN DATACorp SGC Root CA (<- available as CA (for example pre-installed in Chrome) and as intermediate in which case the AddTrust External Root is the CA again)
COMODO Certification Authority
EssentialSSL CA
mail.customer.com

On all 3 servers the UTN DATACorp SGC Root CA certificates exist in the same folders - it's not choosing the other path on the other 2 servers because they're not there thus. I can't force it to take a specific chain from what I see. There's at least 3 or 4 valid validation paths due to several possible intermediates leading up to AddTrust External Root, browsers have no issues with these multiple paths, or so it seems, but exchange definitely seems to puke on it.

The other chains/paths are in the cert stores as well. This is very frustrating/annoying.

Any ideas? I've been messing around with the cert stores on the other servers for hours before it worked. Hoping for a faster approach that'll work without much hassle.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.