Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Exchange 2010 Certificate self-signed = false

Posted on 2016-09-21
Medium Priority
Last Modified: 2016-10-11
Hi folks,

I've created a new exchange certificate to use outlook extern (rpc over https). (SBS) The Root Certificate also was expired.

I used the exchange certificate wizard. Every link and services are included:,

I connected the CA Authority via certsrv and exported the *.cer and import to RootCA.

Unfortunately the Exchange Certificate is accepted but under Self-Signed i'm getting = false

Today i'm creating a Group policy to deploy the Root and Exchange certificate to every client. Should this action fix the job?

From outside the outlook clients still getting a certificate problem. Will the import of both certificates on the clients fix the problem?

I' really dont know what to do. What about DNS? Which entries are needed? Pls do not advice to get a certificate from GoDaddy or a SAN.

Thanks in advance.
Question by:Mandy_
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809537
Hey buddy, this is fine.

Self signed for exchange is a certificate generated by the same exchange server. But in your case you are using a certificate that was signed by a CA. Which is even better.

Despite of that Self-Signed=False, which is correct, and even better than if it would say True. What is the exact message error that you are getting with your clients?

Maybe it is required to add the CA root in your network or verify something else missing (name, trust path chain, dates, etc)
LVL 27

Assisted Solution

MAS earned 400 total points (awarded by participants)
ID: 41809541
When you install a certificate other than certificate issued by Exchange server is not self signed.
You will have to import the certificate to the "Trusted Root certification Auth....".
Else exyternal connectivity/outlook anywhere will not work.
Please check this article regarding DNS and URLs
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 400 total points (awarded by participants)
ID: 41809580
If it is the case that your only problem is that the digital certificate is not trusted in your network. You can deploy the digital certificate from the CA that was used in your domain using the steps involved in this article:

1. Open Group Policy Management Console.
2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.
3. Right-click the GPO, and then select Edit.
4. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
5. Click the Action menu, and then click Import.
6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 400 total points (awarded by participants)
ID: 41809611
If you use a CA on your network to generate the certificate, non-domain joined clients that attempt to connect to Exchange will get a certificate error because they don't trust your CA. The CA certificate is deployed to Domain members by default, so computers on your domain will trust the CA, but if the computer isn't part of your domain, there's no way for the computer/device to know that it's okay to trust certificates generated by your CA, so they'll pop up a warning. You can resolve this by installing the Root CA certificate as a trusted third party certificate on any non-domain devices that access exchange (The instructions are above), but this can be a huge amount of work for you and your users if there are a lot of people who use the server.

I would estimate that the average support call to resolve this situation would take about 15 minutes at a minimum, so multiply that by the number of non-domain systems that will access your Exchange server, figure out how many hours that adds up to, then multiply that by how much your hourly wage is (plus the wages of any employees involved) and you start to realize that the $99 a year or so for a Certificate from Godaddy or somewhere similar becomes a pretty good deal.

In short, you're better off getting the Exchange certificate from a Third Party CA than you are generating your own.
LVL 32

Assisted Solution

by:Scott C
Scott C earned 400 total points (awarded by participants)
ID: 41809643
You are going to continue to have cert issues until you purchase a valid cert from a trusted vendor.  The company I work for uses GoDaddy.

I use the following command to check my certs.

Get-ExchangeCertificate | fl

Buy your cert, install it and move on to bigger and better things.
LVL 16

Accepted Solution

Todd Nelson earned 400 total points (awarded by participants)
ID: 41809808
With an internally issued CA cert, you will have to install the cert on every computer that is not domain joined, and don't get me started on other remote devices (i.e. phones) .  Unless, it's for a test environment, internal CA certs are not recommended for Exchange in production.

Pls do not advice to get a certificate from GoDaddy or a SAN.

Blah, blah, blah.

Get a UCC/SAN certificate from Digicert, Comodo, Certificates for Exchange, etc. and your worries with unneccessary tail-chasing are over.  For simplicity sake, get a cert from a publicly trusted CA.

You can find a UCC/SAN cert that will cost anywhere from $49.99/yr and up.  Your time is worth more than $50, isn't it?

Author Comment

ID: 41810192
The customer worked for years without any Commercial certificate. How should i explain him that now he Needs 50$ ? From my sight it would be also the best choice.

Author Comment

ID: 41810233
Thank you so much
LVL 27

Expert Comment

ID: 41838076
All of the posts were helpful and can be closed this thread.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question