Use self signed certificate with EWS

Just to chip in, you can find the current self signed IIS Certificate and distribution package here:

\\SERVERNAME\Public\Downloads

I would look at getting a trust cert as Simon suggested.

Simon - I have a SAN cert from GoDaddy. The primary name is mail.externaldomain.com. The SAN's are www.mail.externaldomain.com (this somehow got dumped in by creation at GoDaddy), externaldomain.com, autodiscover.externaldomain.com, servername.internaldomain.local, and internaldomain.local.  I figured I would just leave the SAN alone instead of having to rekey it and just use an self-signed SSL if possible.  i understand that the next SSL I will have to give up the .local and then somehow point them to the external .com.  I usually have a heck of a time with the SSL's and didn't want to press my luck.  Does EWS.externaldomain.com have to be called out at my DNS host like mail.externaldomain.com does?

Simon - Also, is there a way I can see what services are currently bound to the external SSL without going through the wizard and possibly breaking something?  Can EWS be bound to the SSL without EWS.externaldomain.com being named as one of the SAN's? Thx.

If you already have an SSL certificate in place, then you have NOTHING to do to use it with EWS.
You just need to get the developer to use the common name listed on the certificate.

As I wrote above, the certificate is not bound to services within Exchange, like ActiveSync, EWS, and Outlook Anywhere, but to protocols. EWS is part of the IIS service, and therefore is already in place.

Simon.

Simon - Thanks for responding back.  I remember that when I installed the certificate, during the wizard I had to choose which services to bind and the url for each.  How do I check to see if EWS has been connected to the common name, mail.externaldomain.com? This has all come about because one of my customer's vendors needs to sync contacts in a hosted server app with a public folder contacts in my client's SBS 2011 server.  The vendor said the app allows for using EWS to do this.  He asked me for the url for MS Web Services, and I gave him mail.externaldomain.com.  I created a Windows user for him to use to authenticate that has the default Reviewer access to the public contacts folder. He said he can get in but he gets the following error:

at depth 1 - 20: unable to get local issuer certificate
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I'm sure I'm not using the correct term when describing EWS and its configuration with the external SSL cert. What I'm referring to the process during the cert import in the following link:

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/

If this is SBS 2011, then you should have installed the certificate with the wizard in the SBS console, NOT the wizard in the Exchange console.
However it doesn't matter which one you use, they both work in the same way, binding a certificate to the IIS service, which EWS uses.

The error you have posted is usually a sign that either you haven't installed the intermediate certificate required by GoDaddy or the machine being tested on isn't up to date on its root certificates.

Simon.