Exchange domain.local SSL cert. Cert Error

With the changes of SSL not allowing domain.local addresses,
we updated our SSL cert to be

Email flows perfectly but..

On our network, Outlook clients are showing cert errors, as they are referencing
the mail.domain.local name, not the, which is listed on the new cert.

This is for exchange 2010 running on Server 2008 R2 standard.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody WhitlockSystem AdministratorCommented:
Honestly for any internal systems, I would create an Enterprise CA on your domain controller and have the servers auto-enroll that way so you would have .local SSL Certificates available to your internal clients and have your traffic secured.  
When you create the Enterprise CA, it get's published in AD and added to domain members automagically.
ParisBPAuthor Commented:
Enterprise CA, read a bunch of things so far is there a specific to this need
set of instructions you can offer?

certain template? autoenrollment?
Jody WhitlockSystem AdministratorCommented:
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

ParisBPAuthor Commented:
Still getting cert errors on outlook clients internally

*correction Server is 2008 not R2
Jody WhitlockSystem AdministratorCommented:
Ok, go through this article Building an Enterprise Root Certification Authority in Small and Medium Businesses and see if there's a step that I forgot about but in all it should be pretty automagic.  Maybe reboot the client and re-issue the cert to the Exchange server.
Paul WagnerFriend To Robots and RocksCommented:

We (my company) ran into the same exact problem... weird problem to deal with, right?

The solution we opted for was to change all of the internal OWA, ECP, etc. addresses to the external address. That way, your internal and external clients will be going to the same URL.

You will need to add a split DNS on your internal DNS so that if people on the INTRAnet go to, it routes them to the private IP of your Exchange (most people I know already have this).

One other shortfall is that people will have to reconfigure their Outlook profile (i.e.- delete the profile and rebuild it). Hopefully, autodiscover works fine for you and they can easily rebuild it. I'm sure you can throw together a few screenshots.

This is a one-time event that will not happen again. That is the justification we gave all of our people, and the "suits and ties" upstairs for having to rebuild the profiles.... "Yes, this is frustrating, but the CAB forum forced this change on us and luckily, we have a solution." My company is smaller, though (100+ people). If you work in a large enterprise, that might not be so easy.

This article is spot on for what you need. It worked for us.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
@Paul thanks for the reference!


ParisBPAuthor Commented:
Close for use @Paul.

DNS ping internally to check.

create new profile, and still am getting the cert error. referencing exchange.local
Will SzymkowskiSenior Solution ArchitectCommented:
Does this happen for all users? If it does not likely a caching issue somewhere i.e try creating a new Windows Profile.

If this is in fact affecting all users try running the "Test Email Auto Configuration" from the Outlook client. This will tell you what are you using for Autodiscover and also what virtual directories you are pointing to.

ParisBPAuthor Commented:
Ok.. using godaddy. I added SAN autodiscover.

as it was not on the original ssl

I redownloaded the updated cert...

how to I replace the one installed on the server so it has the autodiscover?

or should I have regenerated req from scratch?
ParisBPAuthor Commented:
It was a combonation of  fixes starting with the CA cert.@Paul was right now,and Will tipped me off with the autodiscover not.. Thanks Experts !!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.