Exchange domain.local SSL cert. mail.domain.com Cert Error

With the changes of SSL not allowing domain.local addresses,
we updated our SSL cert to be mail.domain.com

Email flows perfectly but..

On our network, Outlook clients are showing cert errors, as they are referencing
the mail.domain.local name, not the mail.domain.com, which is listed on the new cert.

This is for exchange 2010 running on Server 2008 R2 standard.
ParisBPAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody WhitlockSystem AdministratorCommented:
Honestly for any internal systems, I would create an Enterprise CA on your domain controller and have the servers auto-enroll that way so you would have .local SSL Certificates available to your internal clients and have your traffic secured.  
When you create the Enterprise CA, it get's published in AD and added to domain members automagically.
0
ParisBPAuthor Commented:
Enterprise CA, read a bunch of things so far is there a specific to this need
set of instructions you can offer?

certain template? autoenrollment?
0
Jody WhitlockSystem AdministratorCommented:
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

ParisBPAuthor Commented:
Still getting cert errors on outlook clients internally

*correction Server is 2008 not R2
0
Jody WhitlockSystem AdministratorCommented:
Ok, go through this article Building an Enterprise Root Certification Authority in Small and Medium Businesses and see if there's a step that I forgot about but in all it should be pretty automagic.  Maybe reboot the client and re-issue the cert to the Exchange server.
0
Paul WagnerFriend To Robots and RocksCommented:
@ParisBP

We (my company) ran into the same exact problem... weird problem to deal with, right?

The solution we opted for was to change all of the internal OWA, ECP, etc. addresses to the external address. That way, your internal and external clients will be going to the same URL.

You will need to add a split DNS on your internal DNS so that if people on the INTRAnet go to mail.domain.com, it routes them to the private IP of your Exchange (most people I know already have this).

One other shortfall is that people will have to reconfigure their Outlook profile (i.e.- delete the profile and rebuild it). Hopefully, autodiscover works fine for you and they can easily rebuild it. I'm sure you can throw together a few screenshots.

This is a one-time event that will not happen again. That is the justification we gave all of our people, and the "suits and ties" upstairs for having to rebuild the profiles.... "Yes, this is frustrating, but the CAB forum forced this change on us and luckily, we have a solution." My company is smaller, though (100+ people). If you work in a large enterprise, that might not be so easy.

This article is spot on for what you need. It worked for us.
http://www.wsit.ca/how-tos/exchange-server-2/configure-split-dns-and-exchange-2013-virtual-directories/
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
@Paul thanks for the reference!

<3

Will.
0
ParisBPAuthor Commented:
Close for use @Paul.

DNS ping internally to mail.com check.

create new profile, and still am getting the cert error. referencing exchange.local
0
Will SzymkowskiSenior Solution ArchitectCommented:
Does this happen for all users? If it does not likely a caching issue somewhere i.e try creating a new Windows Profile.

If this is in fact affecting all users try running the "Test Email Auto Configuration" from the Outlook client. This will tell you what are you using for Autodiscover and also what virtual directories you are pointing to.

Will.
0
ParisBPAuthor Commented:
Ok.. using godaddy. I added SAN autodiscover.

as it was not on the original ssl

I redownloaded the updated cert...

how to I replace the one installed on the server so it has the autodiscover?

or should I have regenerated req from scratch?
0
ParisBPAuthor Commented:
It was a combonation of  fixes starting with the CA cert.@Paul was right now,and Will tipped me off with the autodiscover not.. Thanks Experts !!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.