[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Use self signed certificate with EWS

Posted on 2014-08-14
7
Medium Priority
?
897 Views
Last Modified: 2014-09-28
Have vendor that wants to setup syncing between his hosted server app and my customer's SBS 2011 server's Exchange public folder contacts using EWS.  He said a self signed certificate should be fine.  When I go into Certificate Authority mmc on SBS server, I see what I assume is the default self signed cert.  Can I use this and link it to EWS for this purpose?
0
Comment
Question by:071171
  • 3
  • 3
7 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40260160
You don't bind SSL certificates to specific services in Exchange, it is bound to the web site.
Therefore you will already have a self signed certificate in place, as one is installed by SBS during the setup and then when the wizards are run. The certificate will cover all web services, so that includes RWW, OWA, ActiveSync, Outlook Anywhere and EWS.
Don't do SSL work in SSL MMC, either do it through the SBS management console or the Exchange management console.

However the self signed certificate isn't really designed for production use, and should really be changed for a trusted certificate. A suitable certificate is less than US$80/year.
http://semb.ee/sbs2011ssl

Simon.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 40260899
Just to chip in, you can find the current self signed IIS Certificate and distribution package here:

\\SERVERNAME\Public\Downloads

I would look at getting a trust cert as Simon suggested.
0
 

Author Comment

by:071171
ID: 40262182
Simon - I have a SAN cert from GoDaddy. The primary name is mail.externaldomain.com. The SAN's are www.mail.externaldomain.com (this somehow got dumped in by creation at GoDaddy), externaldomain.com, autodiscover.externaldomain.com, servername.internaldomain.local, and internaldomain.local.  I figured I would just leave the SAN alone instead of having to rekey it and just use an self-signed SSL if possible.  i understand that the next SSL I will have to give up the .local and then somehow point them to the external .com.  I usually have a heck of a time with the SSL's and didn't want to press my luck.  Does EWS.externaldomain.com have to be called out at my DNS host like mail.externaldomain.com does?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:071171
ID: 40262200
Simon - Also, is there a way I can see what services are currently bound to the external SSL without going through the wizard and possibly breaking something?  Can EWS be bound to the SSL without EWS.externaldomain.com being named as one of the SAN's? Thx.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40265112
If you already have an SSL certificate in place, then you have NOTHING to do to use it with EWS.
You just need to get the developer to use the common name listed on the certificate.

As I wrote above, the certificate is not bound to services within Exchange, like ActiveSync, EWS, and Outlook Anywhere, but to protocols. EWS is part of the IIS service, and therefore is already in place.

Simon.
0
 

Author Comment

by:071171
ID: 40265162
Simon - Thanks for responding back.  I remember that when I installed the certificate, during the wizard I had to choose which services to bind and the url for each.  How do I check to see if EWS has been connected to the common name, mail.externaldomain.com? This has all come about because one of my customer's vendors needs to sync contacts in a hosted server app with a public folder contacts in my client's SBS 2011 server.  The vendor said the app allows for using EWS to do this.  He asked me for the url for MS Web Services, and I gave him mail.externaldomain.com.  I created a Windows user for him to use to authenticate that has the default Reviewer access to the public contacts folder. He said he can get in but he gets the following error:

at depth 1 - 20: unable to get local issuer certificate
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I'm sure I'm not using the correct term when describing EWS and its configuration with the external SSL cert. What I'm referring to the process during the cert import in the following link:

http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40268832
If this is SBS 2011, then you should have installed the certificate with the wizard in the SBS console, NOT the wizard in the Exchange console.
However it doesn't matter which one you use, they both work in the same way, binding a certificate to the IIS service, which EWS uses.

The error you have posted is usually a sign that either you haven't installed the intermediate certificate required by GoDaddy or the machine being tested on isn't up to date on its root certificates.

Simon.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month19 days, 22 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question