Use self signed certificate with EWS

Have vendor that wants to setup syncing between his hosted server app and my customer's SBS 2011 server's Exchange public folder contacts using EWS.  He said a self signed certificate should be fine.  When I go into Certificate Authority mmc on SBS server, I see what I assume is the default self signed cert.  Can I use this and link it to EWS for this purpose?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
You don't bind SSL certificates to specific services in Exchange, it is bound to the web site.
Therefore you will already have a self signed certificate in place, as one is installed by SBS during the setup and then when the wizards are run. The certificate will cover all web services, so that includes RWW, OWA, ActiveSync, Outlook Anywhere and EWS.
Don't do SSL work in SSL MMC, either do it through the SBS management console or the Exchange management console.

However the self signed certificate isn't really designed for production use, and should really be changed for a trusted certificate. A suitable certificate is less than US$80/year.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David AtkinTechnical DirectorCommented:
Just to chip in, you can find the current self signed IIS Certificate and distribution package here:


I would look at getting a trust cert as Simon suggested.
071171Author Commented:
Simon - I have a SAN cert from GoDaddy. The primary name is The SAN's are (this somehow got dumped in by creation at GoDaddy),,, servername.internaldomain.local, and internaldomain.local.  I figured I would just leave the SAN alone instead of having to rekey it and just use an self-signed SSL if possible.  i understand that the next SSL I will have to give up the .local and then somehow point them to the external .com.  I usually have a heck of a time with the SSL's and didn't want to press my luck.  Does have to be called out at my DNS host like does?
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

071171Author Commented:
Simon - Also, is there a way I can see what services are currently bound to the external SSL without going through the wizard and possibly breaking something?  Can EWS be bound to the SSL without being named as one of the SAN's? Thx.
Simon Butler (Sembee)ConsultantCommented:
If you already have an SSL certificate in place, then you have NOTHING to do to use it with EWS.
You just need to get the developer to use the common name listed on the certificate.

As I wrote above, the certificate is not bound to services within Exchange, like ActiveSync, EWS, and Outlook Anywhere, but to protocols. EWS is part of the IIS service, and therefore is already in place.

071171Author Commented:
Simon - Thanks for responding back.  I remember that when I installed the certificate, during the wizard I had to choose which services to bind and the url for each.  How do I check to see if EWS has been connected to the common name, This has all come about because one of my customer's vendors needs to sync contacts in a hosted server app with a public folder contacts in my client's SBS 2011 server.  The vendor said the app allows for using EWS to do this.  He asked me for the url for MS Web Services, and I gave him  I created a Windows user for him to use to authenticate that has the default Reviewer access to the public contacts folder. He said he can get in but he gets the following error:

at depth 1 - 20: unable to get local issuer certificate
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I'm sure I'm not using the correct term when describing EWS and its configuration with the external SSL cert. What I'm referring to the process during the cert import in the following link:
Simon Butler (Sembee)ConsultantCommented:
If this is SBS 2011, then you should have installed the certificate with the wizard in the SBS console, NOT the wizard in the Exchange console.
However it doesn't matter which one you use, they both work in the same way, binding a certificate to the IIS service, which EWS uses.

The error you have posted is usually a sign that either you haven't installed the intermediate certificate required by GoDaddy or the machine being tested on isn't up to date on its root certificates.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.