Solved

Exchange 2010 Certificate self-signed = false

Posted on 2016-09-21
9
69 Views
Last Modified: 2016-10-11
Hi folks,

I've created a new exchange certificate to use outlook extern (rpc over https). (SBS) The Root Certificate also was expired.

I used the exchange certificate wizard. Every link and services are included: exchange.domain.de, autodiscover.domain.de......

I connected the CA Authority via certsrv and exported the *.cer and import to RootCA.

Unfortunately the Exchange Certificate is accepted but under Self-Signed i'm getting = false

Today i'm creating a Group policy to deploy the Root and Exchange certificate to every client. Should this action fix the job?

From outside the outlook clients still getting a certificate problem. Will the import of both certificates on the clients fix the problem?

I' really dont know what to do. What about DNS? Which entries are needed? Pls do not advice to get a certificate from GoDaddy or a SAN.

Thanks in advance.
0
Comment
Question by:Mandy_
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809537
Hey buddy, this is fine.

Self signed for exchange is a certificate generated by the same exchange server. But in your case you are using a certificate that was signed by a CA. Which is even better.

Despite of that Self-Signed=False, which is correct, and even better than if it would say True. What is the exact message error that you are getting with your clients?

Maybe it is required to add the CA root in your network or verify something else missing (name, trust path chain, dates, etc)
0
 
LVL 25

Assisted Solution

by:-MAS
-MAS earned 100 total points (awarded by participants)
ID: 41809541
Hi,
When you install a certificate other than certificate issued by Exchange server is not self signed.
You will have to import the certificate to the "Trusted Root certification Auth....".
Else exyternal connectivity/outlook anywhere will not work.
Please check this article regarding DNS and URLs
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html
1
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 100 total points (awarded by participants)
ID: 41809580
If it is the case that your only problem is that the digital certificate is not trusted in your network. You can deploy the digital certificate from the CA that was used in your domain using the steps involved in this article:

https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx

1. Open Group Policy Management Console.
2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.
3. Right-click the GPO, and then select Edit.
4. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
5. Click the Action menu, and then click Import.
6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 100 total points (awarded by participants)
ID: 41809611
If you use a CA on your network to generate the certificate, non-domain joined clients that attempt to connect to Exchange will get a certificate error because they don't trust your CA. The CA certificate is deployed to Domain members by default, so computers on your domain will trust the CA, but if the computer isn't part of your domain, there's no way for the computer/device to know that it's okay to trust certificates generated by your CA, so they'll pop up a warning. You can resolve this by installing the Root CA certificate as a trusted third party certificate on any non-domain devices that access exchange (The instructions are above), but this can be a huge amount of work for you and your users if there are a lot of people who use the server.

I would estimate that the average support call to resolve this situation would take about 15 minutes at a minimum, so multiply that by the number of non-domain systems that will access your Exchange server, figure out how many hours that adds up to, then multiply that by how much your hourly wage is (plus the wages of any employees involved) and you start to realize that the $99 a year or so for a Certificate from Godaddy or somewhere similar becomes a pretty good deal.

In short, you're better off getting the Exchange certificate from a Third Party CA than you are generating your own.
1
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 29

Assisted Solution

by:ScottCha
ScottCha earned 100 total points (awarded by participants)
ID: 41809643
You are going to continue to have cert issues until you purchase a valid cert from a trusted vendor.  The company I work for uses GoDaddy.

I use the following command to check my certs.

Get-ExchangeCertificate | fl

Buy your cert, install it and move on to bigger and better things.
1
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 100 total points (awarded by participants)
ID: 41809808
With an internally issued CA cert, you will have to install the cert on every computer that is not domain joined, and don't get me started on other remote devices (i.e. phones) .  Unless, it's for a test environment, internal CA certs are not recommended for Exchange in production.

Pls do not advice to get a certificate from GoDaddy or a SAN.

Blah, blah, blah.

Get a UCC/SAN certificate from Digicert, Comodo, Certificates for Exchange, etc. and your worries with unneccessary tail-chasing are over.  For simplicity sake, get a cert from a publicly trusted CA.

You can find a UCC/SAN cert that will cost anywhere from $49.99/yr and up.  Your time is worth more than $50, isn't it?
0
 
LVL 2

Author Comment

by:Mandy_
ID: 41810192
The customer worked for years without any Commercial certificate. How should i explain him that now he Needs 50$ ? From my sight it would be also the best choice.
0
 
LVL 2

Author Comment

by:Mandy_
ID: 41810233
Thank you so much
0
 
LVL 25

Expert Comment

by:-MAS
ID: 41838076
All of the posts were helpful and can be closed this thread.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now