Exchange 2010 Certificate self-signed = false

Hi folks,

I've created a new exchange certificate to use outlook extern (rpc over https). (SBS) The Root Certificate also was expired.

I used the exchange certificate wizard. Every link and services are included:,

I connected the CA Authority via certsrv and exported the *.cer and import to RootCA.

Unfortunately the Exchange Certificate is accepted but under Self-Signed i'm getting = false

Today i'm creating a Group policy to deploy the Root and Exchange certificate to every client. Should this action fix the job?

From outside the outlook clients still getting a certificate problem. Will the import of both certificates on the clients fix the problem?

I' really dont know what to do. What about DNS? Which entries are needed? Pls do not advice to get a certificate from GoDaddy or a SAN.

Thanks in advance.
Who is Participating?
Todd NelsonConnect With a Mentor Systems EngineerCommented:
With an internally issued CA cert, you will have to install the cert on every computer that is not domain joined, and don't get me started on other remote devices (i.e. phones) .  Unless, it's for a test environment, internal CA certs are not recommended for Exchange in production.

Pls do not advice to get a certificate from GoDaddy or a SAN.

Blah, blah, blah.

Get a UCC/SAN certificate from Digicert, Comodo, Certificates for Exchange, etc. and your worries with unneccessary tail-chasing are over.  For simplicity sake, get a cert from a publicly trusted CA.

You can find a UCC/SAN cert that will cost anywhere from $49.99/yr and up.  Your time is worth more than $50, isn't it?
Schnell SolutionsSystems Infrastructure EngineerCommented:
Hey buddy, this is fine.

Self signed for exchange is a certificate generated by the same exchange server. But in your case you are using a certificate that was signed by a CA. Which is even better.

Despite of that Self-Signed=False, which is correct, and even better than if it would say True. What is the exact message error that you are getting with your clients?

Maybe it is required to add the CA root in your network or verify something else missing (name, trust path chain, dates, etc)
MAS (MVE)Connect With a Mentor Technical Department HeadCommented:
When you install a certificate other than certificate issued by Exchange server is not self signed.
You will have to import the certificate to the "Trusted Root certification Auth....".
Else exyternal connectivity/outlook anywhere will not work.
Please check this article regarding DNS and URLs
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Schnell SolutionsConnect With a Mentor Systems Infrastructure EngineerCommented:
If it is the case that your only problem is that the digital certificate is not trusted in your network. You can deploy the digital certificate from the CA that was used in your domain using the steps involved in this article:

1. Open Group Policy Management Console.
2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.
3. Right-click the GPO, and then select Edit.
4. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
5. Click the Action menu, and then click Import.
6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
If you use a CA on your network to generate the certificate, non-domain joined clients that attempt to connect to Exchange will get a certificate error because they don't trust your CA. The CA certificate is deployed to Domain members by default, so computers on your domain will trust the CA, but if the computer isn't part of your domain, there's no way for the computer/device to know that it's okay to trust certificates generated by your CA, so they'll pop up a warning. You can resolve this by installing the Root CA certificate as a trusted third party certificate on any non-domain devices that access exchange (The instructions are above), but this can be a huge amount of work for you and your users if there are a lot of people who use the server.

I would estimate that the average support call to resolve this situation would take about 15 minutes at a minimum, so multiply that by the number of non-domain systems that will access your Exchange server, figure out how many hours that adds up to, then multiply that by how much your hourly wage is (plus the wages of any employees involved) and you start to realize that the $99 a year or so for a Certificate from Godaddy or somewhere similar becomes a pretty good deal.

In short, you're better off getting the Exchange certificate from a Third Party CA than you are generating your own.
Scott CConnect With a Mentor Senior Systems EnginerCommented:
You are going to continue to have cert issues until you purchase a valid cert from a trusted vendor.  The company I work for uses GoDaddy.

I use the following command to check my certs.

Get-ExchangeCertificate | fl

Buy your cert, install it and move on to bigger and better things.
Mandy_Author Commented:
The customer worked for years without any Commercial certificate. How should i explain him that now he Needs 50$ ? From my sight it would be also the best choice.
Mandy_Author Commented:
Thank you so much
MAS (MVE)Technical Department HeadCommented:
All of the posts were helpful and can be closed this thread.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.