Installed SSL certificate and still get security error on outlook

Exchange 2013 Outlook 2013
I am getting a security alert when Outlook connects to Exchange.
"The name on the security certificate is invalid or does not match the name of the site"

How do I get rid of it?  Purchased SSL certificate how do i get outlook to look for that certificate?
jplatovskyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tigermattCommented:
What name does it show Outlook attempting to connect to?
What names did you purchase in the certificate?

This is typically caused by one of the URLs Exchange is directing Outlook to connect to being an internal URL, which is not listed on the certificate and will therefore generate a warning.

Simon (Sembee) has an article with all the relevant changes necessary to properly configure Exchange to make this problem go away:
http://semb.ee/hostnames2013
0
Will SzymkowskiSenior Solution ArchitectCommented:
As stated this is due to an incorrectly configured virtual directory. What I would recommend is check all of your virtual directories and make sure that they are configured to use https://mail.domain.com/....This should be done for both internal and external urls so that this is simplified and there is no need for connecting using the exchange servers internal name.

Make sure that on your SSL cert that you have the following...
autodiscover.domain.com
mail.domain.com

You will also need to make sure that you enable the certificate on all of the CAS servers, after you have imported the certificate using either IIS or Certificate MMC. Use the below command to enable the certificate for Exchange.
Get-ExchangeCertificate | ft

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxx -services "pop,imap,smtp,iis"
Click Y to accept the changes

Once you have completed this you will need to change all of your virtual directories to https://mail.domain.com/owa /oab etc. You will also need split dns configured for your external FQDN.

All you need to do for this is create a new zone for
externaldomain.com
- create an A (host) record for mail.domain.com pointing to your CAS box or load balancer IP (if you have one)

You can then use the below command to remove the old certificate as well...
Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxx

That is it

Will.
0
DeepinInfrastructure Engineer Commented:
Try using this link to verify you've change the exchange virtual directory's

https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

jplatovskyAuthor Commented:
the name in the certificate is: mail.company.com
the certificate the is being called is the default using the machine name.  where do i change that information?   there is a proxy server error now. error 10
0
tigermattCommented:
There are a large number of URLs you need to change.
Sembee's article covers all the necessary commands: http://semb.ee/hostnames2013

the name in the certificate is: mail.company.com
Did you purchase a Subject Alternative Name (SAN) certificate which includes the name autodiscover.company.com?

If not (i.e. you only have a single name certificate), and you wish to use Autodiscover services externally for automatic Outlook configuration, you will need to take the SRV record approach (scenario 2 in the link) as and when you configure this.
0
jplatovskyAuthor Commented:
took care of mail.company.com.
autodiscover does not seem to be resolved.  I created the SRV record locally as well as creating it externally.
still nothing.  i would like to have one certificate and not have another one.  but if anyone has any other suggestions (BTW they were amazing ones) it would be helpful
0
tigermattCommented:
autodiscover does not seem to be resolved.  I created the SRV record locally as well as creating it externally.
Did you set the URLs as per the article of Sembee's which I linked? In particular, it is important that you have set the "AutodiscoverServiceInternalUri" of each client access server to use a name present on the certificate; this URL is used by internal (i.e. domain-joined) clients to obtain the location of the Autodiscover service, and hence you will receive security warnings if that is not correct.

You should also ensure any autodiscover.company.com records have been deleted from your internal and external DNS; Outlook will use those in preference to any SRV records which exist, and since you don't have the name listed on the SSL certificate, this will also produce a warning.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.