Solved

Wildcard Certificate Security Alert "The Name on the security cert is invaild or does not match the name of the site"

Posted on 2014-07-31
14
1,077 Views
Last Modified: 2014-08-28
I have purchased a Wild Card Certificate from Thwate and did the following on the Exchange server 2010:

Friendly Name = itservicesmailabc

Enable Wildcard Certificate = Checked on

Root domain for wildcard = *.abc.com

Services = IIS, SMTP

Self signed = false (why is that)

Status = The certificate is valid for exchange server usage

So after its installed the OWA and ActiveSync work on the ssl and so does outlook anywhere however anybody that opens there Outlook client on there PC they get a Security Alert saying that "The Name on the security cert is invalid or does not match the name of the site"

How can I make it so this doesn't pop up anymore?

I also have 2 other Exchange certs below the wildcard one:

one of them says Microsoft Exchange and the self signed says True, its also a valid cert for exchange usage and the services are for IMAP, POP, SMTP but I don't need it I think and why is the self signed True?

The last one is Blank but says its issued to WMSvc-(local servername) it also has a True Self Signed and is also valid for exchange server usage but has no services attached to it.

Please let me know if I should delete both those other certs and that will solve my problem
0
Comment
Question by:Neogeo147
14 Comments
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232177
Sounds like outlook is configured to just use "servername" when connecting to exchange, or your internal domain is not "abc.com"

Does your internal domain match the external domain you are using?
0
 

Author Comment

by:Neogeo147
ID: 40232197
well actually in my local DNS I have mydomain.com and mydomain.dom
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232204
In that case, your wild card certificate will not work for exchange internally.

You need a SAN cert that contains the names you are using under both:

abc.com
and
mydomain.com
0
 
LVL 5

Expert Comment

by:amac81
ID: 40232205
Self signed means it is an internally self-signed certificate.  That is, trusted internally but not externally.  The certificate from Thawte is not self-signed as it is signed by Thawte's root which is trusted internally and externally.
0
 

Author Comment

by:Neogeo147
ID: 40232217
sorry for the confusion, I just used abc.com as generic and should have stuck with it...

so going by just abc.com then I have the following in my DNS

abc.com
and
abc.dom

does that still require a SAN cert, so am I screwed for the next 3 years on this wildcard cert?

I just want to get rid of the security alert
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232226
Oh okay.  Then that should work as long as you're always connecting to "servername.abc.local" and not servername.

If you look at your outlook profile, what is listed under the "Server" field?
0
 

Author Comment

by:Neogeo147
ID: 40232240
it is the local server name: plc-ex02.abc.dom
0
[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232273
Oh wait.... sorry I misread your last comment.

your wildcard cert for *.abc.Com will not work for plc-ex02.abc.dom

You can still use your wildcard cert elsewhere, but for Exchange you will need a SAN cert that contains any name you use to access the server:

plc-ex02.abc.dom
mail.abc.com
OWA.abc.com
etc. etc..
0
 

Author Comment

by:Neogeo147
ID: 40232279
I thought the wild card cert was for adding any sub domain to it
0
 

Author Comment

by:Neogeo147
ID: 40232283
so if it won't work how can I get rid of the security alert, create a Group Policy to install the cert, something to get rid of this annoying cert.

Thanks
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232353
Any subdomain - to one or the other.

As long as you're using .Com and .Dom they are two different domains.  Wildcard certs only work for ONE domain.

A UC/SAN cert is really the only appropriate way to fix the SSL alert.
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233582
Wildcards will only allow ONE extra term, so if you have *.abc.com  then exchange.abc.com is fine; however exchange.cloud.abc.com is not
Gareth
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40233886
You cannot add your internal HostNames in public certificate
Since your external and internal dns name space is different, your CAS external and internal URLs are also different and the certificate only contains external name space, your outlook is getting warning \ errors

All you need to do, use split dns and configure all Exchange URLs with public name space only
In split dns, internal and external dns names are remain same and can be resolved through public IP over internet and can be resolved through private IP within corporate network

Use below link to configures all Exchange URLs, this includes, owa. ecp, active sync, autodiscover and so on.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40234597
@Mahesh - d'oh!  you're right.  I forgot that was changing.  Most CA's won't even issue them anymore.

I was thinking that would be easier than re-configuring Exchange, but I guess split DNS is the only option.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now