Solved

Wildcard Certificate Security Alert "The Name on the security cert is invaild or does not match the name of the site"

Posted on 2014-07-31
14
1,178 Views
Last Modified: 2014-08-28
I have purchased a Wild Card Certificate from Thwate and did the following on the Exchange server 2010:

Friendly Name = itservicesmailabc

Enable Wildcard Certificate = Checked on

Root domain for wildcard = *.abc.com

Services = IIS, SMTP

Self signed = false (why is that)

Status = The certificate is valid for exchange server usage

So after its installed the OWA and ActiveSync work on the ssl and so does outlook anywhere however anybody that opens there Outlook client on there PC they get a Security Alert saying that "The Name on the security cert is invalid or does not match the name of the site"

How can I make it so this doesn't pop up anymore?

I also have 2 other Exchange certs below the wildcard one:

one of them says Microsoft Exchange and the self signed says True, its also a valid cert for exchange usage and the services are for IMAP, POP, SMTP but I don't need it I think and why is the self signed True?

The last one is Blank but says its issued to WMSvc-(local servername) it also has a True Self Signed and is also valid for exchange server usage but has no services attached to it.

Please let me know if I should delete both those other certs and that will solve my problem
0
Comment
Question by:Neogeo147
14 Comments
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232177
Sounds like outlook is configured to just use "servername" when connecting to exchange, or your internal domain is not "abc.com"

Does your internal domain match the external domain you are using?
0
 

Author Comment

by:Neogeo147
ID: 40232197
well actually in my local DNS I have mydomain.com and mydomain.dom
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232204
In that case, your wild card certificate will not work for exchange internally.

You need a SAN cert that contains the names you are using under both:

abc.com
and
mydomain.com
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 5

Expert Comment

by:amac81
ID: 40232205
Self signed means it is an internally self-signed certificate.  That is, trusted internally but not externally.  The certificate from Thawte is not self-signed as it is signed by Thawte's root which is trusted internally and externally.
0
 

Author Comment

by:Neogeo147
ID: 40232217
sorry for the confusion, I just used abc.com as generic and should have stuck with it...

so going by just abc.com then I have the following in my DNS

abc.com
and
abc.dom

does that still require a SAN cert, so am I screwed for the next 3 years on this wildcard cert?

I just want to get rid of the security alert
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232226
Oh okay.  Then that should work as long as you're always connecting to "servername.abc.local" and not servername.

If you look at your outlook profile, what is listed under the "Server" field?
0
 

Author Comment

by:Neogeo147
ID: 40232240
it is the local server name: plc-ex02.abc.dom
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232273
Oh wait.... sorry I misread your last comment.

your wildcard cert for *.abc.Com will not work for plc-ex02.abc.dom

You can still use your wildcard cert elsewhere, but for Exchange you will need a SAN cert that contains any name you use to access the server:

plc-ex02.abc.dom
mail.abc.com
OWA.abc.com
etc. etc..
0
 

Author Comment

by:Neogeo147
ID: 40232279
I thought the wild card cert was for adding any sub domain to it
0
 

Author Comment

by:Neogeo147
ID: 40232283
so if it won't work how can I get rid of the security alert, create a Group Policy to install the cert, something to get rid of this annoying cert.

Thanks
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232353
Any subdomain - to one or the other.

As long as you're using .Com and .Dom they are two different domains.  Wildcard certs only work for ONE domain.

A UC/SAN cert is really the only appropriate way to fix the SSL alert.
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233582
Wildcards will only allow ONE extra term, so if you have *.abc.com  then exchange.abc.com is fine; however exchange.cloud.abc.com is not
Gareth
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40233886
You cannot add your internal HostNames in public certificate
Since your external and internal dns name space is different, your CAS external and internal URLs are also different and the certificate only contains external name space, your outlook is getting warning \ errors

All you need to do, use split dns and configure all Exchange URLs with public name space only
In split dns, internal and external dns names are remain same and can be resolved through public IP over internet and can be resolved through private IP within corporate network

Use below link to configures all Exchange URLs, this includes, owa. ecp, active sync, autodiscover and so on.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40234597
@Mahesh - d'oh!  you're right.  I forgot that was changing.  Most CA's won't even issue them anymore.

I was thinking that would be easier than re-configuring Exchange, but I guess split DNS is the only option.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question