Solved

Wildcard Certificate Security Alert "The Name on the security cert is invaild or does not match the name of the site"

Posted on 2014-07-31
14
1,217 Views
Last Modified: 2014-08-28
I have purchased a Wild Card Certificate from Thwate and did the following on the Exchange server 2010:

Friendly Name = itservicesmailabc

Enable Wildcard Certificate = Checked on

Root domain for wildcard = *.abc.com

Services = IIS, SMTP

Self signed = false (why is that)

Status = The certificate is valid for exchange server usage

So after its installed the OWA and ActiveSync work on the ssl and so does outlook anywhere however anybody that opens there Outlook client on there PC they get a Security Alert saying that "The Name on the security cert is invalid or does not match the name of the site"

How can I make it so this doesn't pop up anymore?

I also have 2 other Exchange certs below the wildcard one:

one of them says Microsoft Exchange and the self signed says True, its also a valid cert for exchange usage and the services are for IMAP, POP, SMTP but I don't need it I think and why is the self signed True?

The last one is Blank but says its issued to WMSvc-(local servername) it also has a True Self Signed and is also valid for exchange server usage but has no services attached to it.

Please let me know if I should delete both those other certs and that will solve my problem
0
Comment
Question by:Neogeo147
14 Comments
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232177
Sounds like outlook is configured to just use "servername" when connecting to exchange, or your internal domain is not "abc.com"

Does your internal domain match the external domain you are using?
0
 

Author Comment

by:Neogeo147
ID: 40232197
well actually in my local DNS I have mydomain.com and mydomain.dom
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232204
In that case, your wild card certificate will not work for exchange internally.

You need a SAN cert that contains the names you are using under both:

abc.com
and
mydomain.com
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:amac81
ID: 40232205
Self signed means it is an internally self-signed certificate.  That is, trusted internally but not externally.  The certificate from Thawte is not self-signed as it is signed by Thawte's root which is trusted internally and externally.
0
 

Author Comment

by:Neogeo147
ID: 40232217
sorry for the confusion, I just used abc.com as generic and should have stuck with it...

so going by just abc.com then I have the following in my DNS

abc.com
and
abc.dom

does that still require a SAN cert, so am I screwed for the next 3 years on this wildcard cert?

I just want to get rid of the security alert
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232226
Oh okay.  Then that should work as long as you're always connecting to "servername.abc.local" and not servername.

If you look at your outlook profile, what is listed under the "Server" field?
0
 

Author Comment

by:Neogeo147
ID: 40232240
it is the local server name: plc-ex02.abc.dom
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232273
Oh wait.... sorry I misread your last comment.

your wildcard cert for *.abc.Com will not work for plc-ex02.abc.dom

You can still use your wildcard cert elsewhere, but for Exchange you will need a SAN cert that contains any name you use to access the server:

plc-ex02.abc.dom
mail.abc.com
OWA.abc.com
etc. etc..
0
 

Author Comment

by:Neogeo147
ID: 40232279
I thought the wild card cert was for adding any sub domain to it
0
 

Author Comment

by:Neogeo147
ID: 40232283
so if it won't work how can I get rid of the security alert, create a Group Policy to install the cert, something to get rid of this annoying cert.

Thanks
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40232353
Any subdomain - to one or the other.

As long as you're using .Com and .Dom they are two different domains.  Wildcard certs only work for ONE domain.

A UC/SAN cert is really the only appropriate way to fix the SSL alert.
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233582
Wildcards will only allow ONE extra term, so if you have *.abc.com  then exchange.abc.com is fine; however exchange.cloud.abc.com is not
Gareth
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40233886
You cannot add your internal HostNames in public certificate
Since your external and internal dns name space is different, your CAS external and internal URLs are also different and the certificate only contains external name space, your outlook is getting warning \ errors

All you need to do, use split dns and configure all Exchange URLs with public name space only
In split dns, internal and external dns names are remain same and can be resolved through public IP over internet and can be resolved through private IP within corporate network

Use below link to configures all Exchange URLs, this includes, owa. ecp, active sync, autodiscover and so on.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 40234597
@Mahesh - d'oh!  you're right.  I forgot that was changing.  Most CA's won't even issue them anymore.

I was thinking that would be easier than re-configuring Exchange, but I guess split DNS is the only option.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

What does UTC stand for?  “Coordinated Universal Time” – Think of this as the true time on Planet Earth that never changes with the exception of minor leap seconds here and there to account for the changes in the planet's rotation.   What does th…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question