Exchange Internal Certificate error

Hi Guys,

We are having a small issue, where internally on the network, when we open outlook, it gives a certificate error. We select yes and all works, but it is annoying.

All the internal URL' s are correct and working. Can someone help to resolve the certificate error?


Ajoy RajanManaged Service ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RantCanSr. Systems AdministratorCommented:
Your SAN certificate does not match where your mail comes from. You are signing, for example: (for exchange) with a self-signed certificate (for mailserver01.domain.local).

Install a signing certificate for your mail domain ( on your exchange server and assign services to it, (SMTP, CAS, etc.)
Ajoy RajanManaged Service ConsultantAuthor Commented:
We have our certificate installed and working fine externally. Internally, also it has been assigned the required services.

Please find the attachment for ref.
RantCanSr. Systems AdministratorCommented:
Set up an internal DNS zone to match the name of your server: and set the A record to the internal IP of your mail server. This creates a split brain DNS and should solve the internal resolution issue.
Ajoy RajanManaged Service ConsultantAuthor Commented:
Hi RantCan,

We cannot have the setup internally, as the people who work on the website, get affected. Their access to our website stops internally and they need to work on this. Is it possible to use a different certificate internally and certificate externally?


RantCanSr. Systems AdministratorCommented:
You would set up a DNS zone, not for the domain root of, but rather a zone for only on only your internal servers. Your external DNS is still authoritative, but internal clients will first resolve to your internal DNS. If your internal dns domain is domain.local as the root, this domain can host a zone that is the same as an external domain, but as long as the A record for that domain points externally, everyone will be able to find it.  This is a pretty clear explanation of split-brain (split horizon) DNS. You are using windows DNS internally, yes?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.