Wildcard Certificate Security Alert "The Name on the security cert is invaild or does not match the name of the site"

I have purchased a Wild Card Certificate from Thwate and did the following on the Exchange server 2010:

Friendly Name = itservicesmailabc

Enable Wildcard Certificate = Checked on

Root domain for wildcard = *.abc.com

Services = IIS, SMTP

Self signed = false (why is that)

Status = The certificate is valid for exchange server usage

So after its installed the OWA and ActiveSync work on the ssl and so does outlook anywhere however anybody that opens there Outlook client on there PC they get a Security Alert saying that "The Name on the security cert is invalid or does not match the name of the site"

How can I make it so this doesn't pop up anymore?

I also have 2 other Exchange certs below the wildcard one:

one of them says Microsoft Exchange and the self signed says True, its also a valid cert for exchange usage and the services are for IMAP, POP, SMTP but I don't need it I think and why is the self signed True?

The last one is Blank but says its issued to WMSvc-(local servername) it also has a True Self Signed and is also valid for exchange server usage but has no services attached to it.

Please let me know if I should delete both those other certs and that will solve my problem
Neogeo147IT Systems AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jon BrelieSystem ArchitectCommented:
Sounds like outlook is configured to just use "servername" when connecting to exchange, or your internal domain is not "abc.com"

Does your internal domain match the external domain you are using?
Neogeo147IT Systems AdminAuthor Commented:
well actually in my local DNS I have mydomain.com and mydomain.dom
Jon BrelieSystem ArchitectCommented:
In that case, your wild card certificate will not work for exchange internally.

You need a SAN cert that contains the names you are using under both:

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Self signed means it is an internally self-signed certificate.  That is, trusted internally but not externally.  The certificate from Thawte is not self-signed as it is signed by Thawte's root which is trusted internally and externally.
Neogeo147IT Systems AdminAuthor Commented:
sorry for the confusion, I just used abc.com as generic and should have stuck with it...

so going by just abc.com then I have the following in my DNS


does that still require a SAN cert, so am I screwed for the next 3 years on this wildcard cert?

I just want to get rid of the security alert
Jon BrelieSystem ArchitectCommented:
Oh okay.  Then that should work as long as you're always connecting to "servername.abc.local" and not servername.

If you look at your outlook profile, what is listed under the "Server" field?
Neogeo147IT Systems AdminAuthor Commented:
it is the local server name: plc-ex02.abc.dom
Jon BrelieSystem ArchitectCommented:
Oh wait.... sorry I misread your last comment.

your wildcard cert for *.abc.Com will not work for plc-ex02.abc.dom

You can still use your wildcard cert elsewhere, but for Exchange you will need a SAN cert that contains any name you use to access the server:

etc. etc..
Neogeo147IT Systems AdminAuthor Commented:
I thought the wild card cert was for adding any sub domain to it
Neogeo147IT Systems AdminAuthor Commented:
so if it won't work how can I get rid of the security alert, create a Group Policy to install the cert, something to get rid of this annoying cert.

Jon BrelieSystem ArchitectCommented:
Any subdomain - to one or the other.

As long as you're using .Com and .Dom they are two different domains.  Wildcard certs only work for ONE domain.

A UC/SAN cert is really the only appropriate way to fix the SSL alert.
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Wildcards will only allow ONE extra term, so if you have *.abc.com  then exchange.abc.com is fine; however exchange.cloud.abc.com is not
You cannot add your internal HostNames in public certificate
Since your external and internal dns name space is different, your CAS external and internal URLs are also different and the certificate only contains external name space, your outlook is getting warning \ errors

All you need to do, use split dns and configure all Exchange URLs with public name space only
In split dns, internal and external dns names are remain same and can be resolved through public IP over internet and can be resolved through private IP within corporate network

Use below link to configures all Exchange URLs, this includes, owa. ecp, active sync, autodiscover and so on.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jon BrelieSystem ArchitectCommented:
@Mahesh - d'oh!  you're right.  I forgot that was changing.  Most CA's won't even issue them anymore.

I was thinking that would be easier than re-configuring Exchange, but I guess split DNS is the only option.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.