SECC_IT
asked on
Exchange 2010 Certificates
Layout:
Domain: eyecare.com
Exchange 2010 with all SPs and RUs.
Most clients use OWA, using https://mail.eyecare.com/owa (yes even internally)
Own a godaddy SSl certificate that covers eyecare.com, mail.eyecare.com, and autodiscover.eyecare.com. OWA users are covered under this.
ISSUE:
GoDaddy will not cover our internal addresses any longer. I recently had to rekey our certificate and lost coverage of my .local addresses.
Internal: exchange.eyecare.local - I have a built-in Exchange certificate that does cover this internal address.
My OWA clients are fine - they do not get SSL errors because they are using mail.eyecare.com.
However, those that use Outlook 2010 are getting errors:
"The name on the security certificate is invalid or does not match the name of the site."
When you select "view certificate" on this error, it is pointing to the godaddy certificate for mail.eyecare.com.
When I configure Outlook 2010 to our server, it automatically inserts exchange.eyecare.local under mail server.
So, how do I tell Exchange to use the built-in exchange.eyecare.local certificate for the Outlook clients?
Domain: eyecare.com
Exchange 2010 with all SPs and RUs.
Most clients use OWA, using https://mail.eyecare.com/owa (yes even internally)
Own a godaddy SSl certificate that covers eyecare.com, mail.eyecare.com, and autodiscover.eyecare.com. OWA users are covered under this.
ISSUE:
GoDaddy will not cover our internal addresses any longer. I recently had to rekey our certificate and lost coverage of my .local addresses.
Internal: exchange.eyecare.local - I have a built-in Exchange certificate that does cover this internal address.
My OWA clients are fine - they do not get SSL errors because they are using mail.eyecare.com.
However, those that use Outlook 2010 are getting errors:
"The name on the security certificate is invalid or does not match the name of the site."
When you select "view certificate" on this error, it is pointing to the godaddy certificate for mail.eyecare.com.
When I configure Outlook 2010 to our server, it automatically inserts exchange.eyecare.local under mail server.
So, how do I tell Exchange to use the built-in exchange.eyecare.local certificate for the Outlook clients?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have not configured your internal url to require SSL why are your internal users going to SSL ?
The fact your internal users are getting SSL prompts indicate that it is configured to use SSL.
The option I outline above simply resolves an addition future problem you might have where users DO NOT trust your self signed certificate (without additional work).
It is also minimizes your workload in terms of certificates to manage.
If you want to proceed using a self signed certificate, simply go to the .local sites in IIS and update the bindings to your self-signed certificate you will create.
I do not suggest this however, as I know it might probably just lead to a question later of client NOT TRUSTING your new .local certificate.
The fact your internal users are getting SSL prompts indicate that it is configured to use SSL.
The option I outline above simply resolves an addition future problem you might have where users DO NOT trust your self signed certificate (without additional work).
It is also minimizes your workload in terms of certificates to manage.
If you want to proceed using a self signed certificate, simply go to the .local sites in IIS and update the bindings to your self-signed certificate you will create.
I do not suggest this however, as I know it might probably just lead to a question later of client NOT TRUSTING your new .local certificate.
ASKER
Honestly, your solution was actually my first thought, and you saved me some Googling by listing exactly how to do it.
Is there a downside to your solution?
Is there a downside to your solution?
There is no downside to be honest, it is the path most folks will end up going as a result of the certificate vendors change from honoring requests with .local domains.
ASKER
Okay. I am going to try this. I will leave this ticket open in case I run into issues. Thank you! If it works, you'll get the points!
ASKER
I did everything you said. The commands ran without incident. I restarted the Exchange Transport service and the IIS Admin service and, voila! - no more certificate errors!
Thank you for your help!
Thank you for your help!
ASKER
It is a workaround, but it will have to do. Thank you!
ASKER
How do I tell Exchange to use the built-in exchange.eyecare.local certificate for the Outlook clients?