Go Premium for a chance to win a PS4. Enter to Win


Exchange 2010 Certificate self-signed = false

Posted on 2016-09-21
Medium Priority
Last Modified: 2016-10-11
Hi folks,

I've created a new exchange certificate to use outlook extern (rpc over https). (SBS) The Root Certificate also was expired.

I used the exchange certificate wizard. Every link and services are included: exchange.domain.de, autodiscover.domain.de......

I connected the CA Authority via certsrv and exported the *.cer and import to RootCA.

Unfortunately the Exchange Certificate is accepted but under Self-Signed i'm getting = false

Today i'm creating a Group policy to deploy the Root and Exchange certificate to every client. Should this action fix the job?

From outside the outlook clients still getting a certificate problem. Will the import of both certificates on the clients fix the problem?

I' really dont know what to do. What about DNS? Which entries are needed? Pls do not advice to get a certificate from GoDaddy or a SAN.

Thanks in advance.
Question by:Mandy_
  • 2
  • 2
  • 2
  • +3
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809537
Hey buddy, this is fine.

Self signed for exchange is a certificate generated by the same exchange server. But in your case you are using a certificate that was signed by a CA. Which is even better.

Despite of that Self-Signed=False, which is correct, and even better than if it would say True. What is the exact message error that you are getting with your clients?

Maybe it is required to add the CA root in your network or verify something else missing (name, trust path chain, dates, etc)
LVL 27

Assisted Solution

MAS earned 400 total points (awarded by participants)
ID: 41809541
When you install a certificate other than certificate issued by Exchange server is not self signed.
You will have to import the certificate to the "Trusted Root certification Auth....".
Else exyternal connectivity/outlook anywhere will not work.
Please check this article regarding DNS and URLs
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 400 total points (awarded by participants)
ID: 41809580
If it is the case that your only problem is that the digital certificate is not trusted in your network. You can deploy the digital certificate from the CA that was used in your domain using the steps involved in this article:


1. Open Group Policy Management Console.
2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.
3. Right-click the GPO, and then select Edit.
4. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
5. Click the Action menu, and then click Import.
6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 400 total points (awarded by participants)
ID: 41809611
If you use a CA on your network to generate the certificate, non-domain joined clients that attempt to connect to Exchange will get a certificate error because they don't trust your CA. The CA certificate is deployed to Domain members by default, so computers on your domain will trust the CA, but if the computer isn't part of your domain, there's no way for the computer/device to know that it's okay to trust certificates generated by your CA, so they'll pop up a warning. You can resolve this by installing the Root CA certificate as a trusted third party certificate on any non-domain devices that access exchange (The instructions are above), but this can be a huge amount of work for you and your users if there are a lot of people who use the server.

I would estimate that the average support call to resolve this situation would take about 15 minutes at a minimum, so multiply that by the number of non-domain systems that will access your Exchange server, figure out how many hours that adds up to, then multiply that by how much your hourly wage is (plus the wages of any employees involved) and you start to realize that the $99 a year or so for a Certificate from Godaddy or somewhere similar becomes a pretty good deal.

In short, you're better off getting the Exchange certificate from a Third Party CA than you are generating your own.
LVL 32

Assisted Solution

by:Scott C
Scott C earned 400 total points (awarded by participants)
ID: 41809643
You are going to continue to have cert issues until you purchase a valid cert from a trusted vendor.  The company I work for uses GoDaddy.

I use the following command to check my certs.

Get-ExchangeCertificate | fl

Buy your cert, install it and move on to bigger and better things.
LVL 17

Accepted Solution

Todd Nelson earned 400 total points (awarded by participants)
ID: 41809808
With an internally issued CA cert, you will have to install the cert on every computer that is not domain joined, and don't get me started on other remote devices (i.e. phones) .  Unless, it's for a test environment, internal CA certs are not recommended for Exchange in production.

Pls do not advice to get a certificate from GoDaddy or a SAN.

Blah, blah, blah.

Get a UCC/SAN certificate from Digicert, Comodo, Certificates for Exchange, etc. and your worries with unneccessary tail-chasing are over.  For simplicity sake, get a cert from a publicly trusted CA.

You can find a UCC/SAN cert that will cost anywhere from $49.99/yr and up.  Your time is worth more than $50, isn't it?

Author Comment

ID: 41810192
The customer worked for years without any Commercial certificate. How should i explain him that now he Needs 50$ ? From my sight it would be also the best choice.

Author Comment

ID: 41810233
Thank you so much
LVL 27

Expert Comment

ID: 41838076
All of the posts were helpful and can be closed this thread.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question