phucdk
asked on
Exchange 2013 SSL Root and Intermediate Setup
Hi Expert,
I am having issue with my trusted certificate show invalid in my ECP 2013, I think I might have the incorrect import Root and Intermediate certificate to MMC/Certificate. I am appreciate if you can advise me how to make this correct.
My trusted certification has path as below
USER Trust--->UNT - DATACorp SGC--->COMODO Certification Authority--->EssentialSSL CA--->owa.mydomain.com
**owa.mydomain.com is the certificate I purchased
The setup current in MMC/Console Root/Certificate, there are Personal, Trusted Root certification Authorities, Intermediate Certification Authorities folder, and of course there are many other folders.
When I checked in those 3 folders that I mentioned( Personal, Trusted Root certification Authorities, Intermediate Certification Authorities), I can see in each of them, there are all certificates (USER Trust, UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA, owa.mydomain.com)
I don't know if this is the reason created the conflict that make my certificate (owa.mydomain.com) in ECP 2013 showing invalid. If this is the case, please help me in steps how to make it correct. Thank you.
Regards,
phucdk
I am having issue with my trusted certificate show invalid in my ECP 2013, I think I might have the incorrect import Root and Intermediate certificate to MMC/Certificate. I am appreciate if you can advise me how to make this correct.
My trusted certification has path as below
USER Trust--->UNT - DATACorp SGC--->COMODO Certification Authority--->EssentialSSL CA--->owa.mydomain.com
**owa.mydomain.com is the certificate I purchased
The setup current in MMC/Console Root/Certificate, there are Personal, Trusted Root certification Authorities, Intermediate Certification Authorities folder, and of course there are many other folders.
When I checked in those 3 folders that I mentioned( Personal, Trusted Root certification Authorities, Intermediate Certification Authorities), I can see in each of them, there are all certificates (USER Trust, UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA, owa.mydomain.com)
I don't know if this is the reason created the conflict that make my certificate (owa.mydomain.com) in ECP 2013 showing invalid. If this is the case, please help me in steps how to make it correct. Thank you.
Regards,
phucdk
ASKER
Thank you for your advise, I can ensure I have chose the correct option as Computer account (the other 2 are My user account and Service account)
I have removed the SSL certificate out of Root and Intermediate. and followed the guide from Comodo to add Root and Intermediate certificate
I would like to ask if in the Trusted Root Certification Authorities should contain only the Root certificate(AddTrust External CA Root) ? I ask because I can see there are UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA certificate as well under Trusted root Certification folder.
Should the Trusted Root folder contain only the AddTrust External CA Root certificate ?
and the Intermediate Certification folder contain UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA certificate ?
By the way, when I run this command in EMS 2013 Get-ExchangeCertificate | fl I had the result below, I want to ask why I have IsSelfSigned is False ? Is it the reason I got invalid SSL ?
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {owa.mydm.com, www.owa.mydm.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater
NotAfter : 10/11/2018 1:59:59 AM
NotBefore : 10/11/2013 2:00:00 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 19C0CC9AC87A4DD474ED6803AA
Services : IMAP, POP, IIS, SMTP
Status : Invalid
Subject : CN=owa.mydm.com, OU=EssentialSSL, OU=Domain Control Validated
Thumbprint : 3A0AFEECACCA2AE8802BC43463
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 9/14/2018 3:44:39 PM
NotBefore : 10/10/2013 3:44:39 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 397B87A9799D2C854C01800251
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : 2622E322C9EE2739B65E32115F
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {exchange2013, exchange2013.mydm.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=exchange2013
NotAfter : 10/10/2018 3:43:09 PM
NotBefore : 10/10/2013 3:43:09 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 15271171538D6F93467550EC47
Services : IIS, SMTP
Status : Valid
Subject : CN=exchange2013
Thumbprint : C0D960EAB0C8F761C3BCCCECDE
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
I have removed the SSL certificate out of Root and Intermediate. and followed the guide from Comodo to add Root and Intermediate certificate
I would like to ask if in the Trusted Root Certification Authorities should contain only the Root certificate(AddTrust External CA Root) ? I ask because I can see there are UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA certificate as well under Trusted root Certification folder.
Should the Trusted Root folder contain only the AddTrust External CA Root certificate ?
and the Intermediate Certification folder contain UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA certificate ?
By the way, when I run this command in EMS 2013 Get-ExchangeCertificate | fl I had the result below, I want to ask why I have IsSelfSigned is False ? Is it the reason I got invalid SSL ?
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {owa.mydm.com, www.owa.mydm.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater
NotAfter : 10/11/2018 1:59:59 AM
NotBefore : 10/11/2013 2:00:00 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 19C0CC9AC87A4DD474ED6803AA
Services : IMAP, POP, IIS, SMTP
Status : Invalid
Subject : CN=owa.mydm.com, OU=EssentialSSL, OU=Domain Control Validated
Thumbprint : 3A0AFEECACCA2AE8802BC43463
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 9/14/2018 3:44:39 PM
NotBefore : 10/10/2013 3:44:39 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 397B87A9799D2C854C01800251
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : 2622E322C9EE2739B65E32115F
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {exchange2013, exchange2013.mydm.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=exchange2013
NotAfter : 10/10/2018 3:43:09 PM
NotBefore : 10/10/2013 3:43:09 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 15271171538D6F93467550EC47
Services : IIS, SMTP
Status : Valid
Subject : CN=exchange2013
Thumbprint : C0D960EAB0C8F761C3BCCCECDE
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You also need to ensure that you using the SSL tool in the right context - there are three, and Computer is the correct one to use.
What does your SSL provider say about installing SSL certificate for the OS? Forget that it is Exchange for a moment - it is just the OS you have to worry about.
Simon.