Exchange 2013 SSL Root and Intermediate Setup

Hi Expert,

I am having issue with my trusted certificate show invalid in my ECP 2013, I think I might have the incorrect import Root and Intermediate certificate to MMC/Certificate. I am appreciate if you can advise me how to make this correct.

My trusted certification has path as below
USER Trust--->UNT - DATACorp SGC--->COMODO Certification Authority--->EssentialSSL CA--->owa.mydomain.com

**owa.mydomain.com is the certificate I purchased

The setup current in MMC/Console Root/Certificate, there are Personal, Trusted Root certification Authorities, Intermediate Certification Authorities folder, and of course there are many other folders.

When I checked in those 3 folders that I mentioned( Personal, Trusted Root certification Authorities, Intermediate Certification Authorities), I can see in each of them, there are all certificates (USER Trust, UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA, owa.mydomain.com)

I don't know if this is the reason created the conflict that make my certificate (owa.mydomain.com) in ECP 2013 showing invalid. If this is the case, please help me in steps how to make it correct. Thank you.

Regards,
phucdk
phucdkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
You shouldn't have your own SSL certificate in root or intermediate.
You also need to ensure that you using the SSL tool in the right context - there are three, and Computer is the correct one to use.

What does your SSL provider say about installing SSL certificate for the OS? Forget that it is Exchange for a moment - it is just the OS you have to worry about.

Simon.
0
phucdkAuthor Commented:
Thank you for your advise, I can ensure I have chose the correct option as Computer account (the other 2 are My user account and Service account)

I have removed the SSL certificate out of Root and Intermediate. and followed the guide from Comodo to add Root and Intermediate certificate

I would like to ask if in the Trusted Root Certification Authorities should contain only the Root certificate(AddTrust External CA Root) ? I ask because I can see there are UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA certificate as well under Trusted root Certification folder.

Should the Trusted Root folder contain only the AddTrust External CA Root certificate ?

and the Intermediate Certification folder contain UNT - DATACorp SGC, COMODO Certification Authority, EssentialSSL CA certificate ?

By the way, when I run this command in EMS 2013 Get-ExchangeCertificate | fl I had the result below, I want to ask why I have IsSelfSigned is False ? Is it the reason I got invalid SSL ?

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {owa.mydm.com, www.owa.mydm.com}
HasPrivateKey      : True
IsSelfSigned       : False

Issuer             : CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, S=Greater
NotAfter           : 10/11/2018 1:59:59 AM
NotBefore          : 10/11/2013 2:00:00 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 19C0CC9AC87A4DD474ED6803AAF9FC6F
Services           : IMAP, POP, IIS, SMTP
Status             : Invalid
Subject            : CN=owa.mydm.com, OU=EssentialSSL, OU=Domain Control Validated
Thumbprint         : 3A0AFEECACCA2AE8802BC434636544D84CFC90F2

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 9/14/2018 3:44:39 PM
NotBefore          : 10/10/2013 3:44:39 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 397B87A9799D2C854C01800251BBF601
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : 2622E322C9EE2739B65E32115F0C82914041532B

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {exchange2013, exchange2013.mydm.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=exchange2013
NotAfter           : 10/10/2018 3:43:09 PM
NotBefore          : 10/10/2013 3:43:09 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 15271171538D6F93467550EC478FD1CD
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=exchange2013
Thumbprint         : C0D960EAB0C8F761C3BCCCECDEF6AD474B3EA50C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
0
Simon Butler (Sembee)ConsultantCommented:
IsSelfSigned is False
That is normal, because you are using a trusted certificate, not one that Exchange has generated itself.

I am not familiar with the Comodo certificates, but if you have followed their instructions then you should check it is done correctly and you don't have a conflicting certificate.

Check their support pages for a test site - most of the providers have those. They can tell if you have installed the certificate correctly by looking at the chain remotely.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.