Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Wildcard Certificate Security Alert "The Name on the security cert is invaild or does not match the name of the site"

Posted on 2014-07-31
14
Medium Priority
?
1,535 Views
Last Modified: 2014-08-28
I have purchased a Wild Card Certificate from Thwate and did the following on the Exchange server 2010:

Friendly Name = itservicesmailabc

Enable Wildcard Certificate = Checked on

Root domain for wildcard = *.abc.com

Services = IIS, SMTP

Self signed = false (why is that)

Status = The certificate is valid for exchange server usage

So after its installed the OWA and ActiveSync work on the ssl and so does outlook anywhere however anybody that opens there Outlook client on there PC they get a Security Alert saying that "The Name on the security cert is invalid or does not match the name of the site"

How can I make it so this doesn't pop up anymore?

I also have 2 other Exchange certs below the wildcard one:

one of them says Microsoft Exchange and the self signed says True, its also a valid cert for exchange usage and the services are for IMAP, POP, SMTP but I don't need it I think and why is the self signed True?

The last one is Blank but says its issued to WMSvc-(local servername) it also has a True Self Signed and is also valid for exchange server usage but has no services attached to it.

Please let me know if I should delete both those other certs and that will solve my problem
0
Comment
Question by:Neogeo147
14 Comments
 
LVL 16

Expert Comment

by:Jon Brelie
ID: 40232177
Sounds like outlook is configured to just use "servername" when connecting to exchange, or your internal domain is not "abc.com"

Does your internal domain match the external domain you are using?
0
 

Author Comment

by:Neogeo147
ID: 40232197
well actually in my local DNS I have mydomain.com and mydomain.dom
0
 
LVL 16

Expert Comment

by:Jon Brelie
ID: 40232204
In that case, your wild card certificate will not work for exchange internally.

You need a SAN cert that contains the names you are using under both:

abc.com
and
mydomain.com
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 5

Expert Comment

by:amac81
ID: 40232205
Self signed means it is an internally self-signed certificate.  That is, trusted internally but not externally.  The certificate from Thawte is not self-signed as it is signed by Thawte's root which is trusted internally and externally.
0
 

Author Comment

by:Neogeo147
ID: 40232217
sorry for the confusion, I just used abc.com as generic and should have stuck with it...

so going by just abc.com then I have the following in my DNS

abc.com
and
abc.dom

does that still require a SAN cert, so am I screwed for the next 3 years on this wildcard cert?

I just want to get rid of the security alert
0
 
LVL 16

Expert Comment

by:Jon Brelie
ID: 40232226
Oh okay.  Then that should work as long as you're always connecting to "servername.abc.local" and not servername.

If you look at your outlook profile, what is listed under the "Server" field?
0
 

Author Comment

by:Neogeo147
ID: 40232240
it is the local server name: plc-ex02.abc.dom
0
 
LVL 16

Expert Comment

by:Jon Brelie
ID: 40232273
Oh wait.... sorry I misread your last comment.

your wildcard cert for *.abc.Com will not work for plc-ex02.abc.dom

You can still use your wildcard cert elsewhere, but for Exchange you will need a SAN cert that contains any name you use to access the server:

plc-ex02.abc.dom
mail.abc.com
OWA.abc.com
etc. etc..
0
 

Author Comment

by:Neogeo147
ID: 40232279
I thought the wild card cert was for adding any sub domain to it
0
 

Author Comment

by:Neogeo147
ID: 40232283
so if it won't work how can I get rid of the security alert, create a Group Policy to install the cert, something to get rid of this annoying cert.

Thanks
0
 
LVL 16

Expert Comment

by:Jon Brelie
ID: 40232353
Any subdomain - to one or the other.

As long as you're using .Com and .Dom they are two different domains.  Wildcard certs only work for ONE domain.

A UC/SAN cert is really the only appropriate way to fix the SSL alert.
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233582
Wildcards will only allow ONE extra term, so if you have *.abc.com  then exchange.abc.com is fine; however exchange.cloud.abc.com is not
Gareth
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40233886
You cannot add your internal HostNames in public certificate
Since your external and internal dns name space is different, your CAS external and internal URLs are also different and the certificate only contains external name space, your outlook is getting warning \ errors

All you need to do, use split dns and configure all Exchange URLs with public name space only
In split dns, internal and external dns names are remain same and can be resolved through public IP over internet and can be resolved through private IP within corporate network

Use below link to configures all Exchange URLs, this includes, owa. ecp, active sync, autodiscover and so on.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
 
LVL 16

Expert Comment

by:Jon Brelie
ID: 40234597
@Mahesh - d'oh!  you're right.  I forgot that was changing.  Most CA's won't even issue them anymore.

I was thinking that would be easier than re-configuring Exchange, but I guess split DNS is the only option.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Take a look at these 6 Outlook Email management tools which can augment the working and performance of Microsoft Outlook to give you a more rewarding emailing experience.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 11 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question