Exchange 2010 Certificate self-signed = false

Posted on 2016-09-21
Last Modified: 2016-10-11
Hi folks,

I've created a new exchange certificate to use outlook extern (rpc over https). (SBS) The Root Certificate also was expired.

I used the exchange certificate wizard. Every link and services are included:,

I connected the CA Authority via certsrv and exported the *.cer and import to RootCA.

Unfortunately the Exchange Certificate is accepted but under Self-Signed i'm getting = false

Today i'm creating a Group policy to deploy the Root and Exchange certificate to every client. Should this action fix the job?

From outside the outlook clients still getting a certificate problem. Will the import of both certificates on the clients fix the problem?

I' really dont know what to do. What about DNS? Which entries are needed? Pls do not advice to get a certificate from GoDaddy or a SAN.

Thanks in advance.
Question by:Mandy_
  • 2
  • 2
  • 2
  • +3
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41809537
Hey buddy, this is fine.

Self signed for exchange is a certificate generated by the same exchange server. But in your case you are using a certificate that was signed by a CA. Which is even better.

Despite of that Self-Signed=False, which is correct, and even better than if it would say True. What is the exact message error that you are getting with your clients?

Maybe it is required to add the CA root in your network or verify something else missing (name, trust path chain, dates, etc)
LVL 25

Assisted Solution

-MAS earned 100 total points (awarded by participants)
ID: 41809541
When you install a certificate other than certificate issued by Exchange server is not self signed.
You will have to import the certificate to the "Trusted Root certification Auth....".
Else exyternal connectivity/outlook anywhere will not work.
Please check this article regarding DNS and URLs
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 100 total points (awarded by participants)
ID: 41809580
If it is the case that your only problem is that the digital certificate is not trusted in your network. You can deploy the digital certificate from the CA that was used in your domain using the steps involved in this article:

1. Open Group Policy Management Console.
2. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.
3. Right-click the GPO, and then select Edit.
4. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers.
5. Click the Action menu, and then click Import.
6. Follow the instructions in the Certificate Import Wizard to find and import the certificate.

If the certificate is self-signed, and cannot be traced back to a certificate that is in the Trusted Root Certification Authorities certificate store, then you must also copy the certificate to that store. In the navigation pane, click Trusted Root Certification Authorities, and then repeat steps 5 and 6 to install a copy of the certificate to that store.
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 100 total points (awarded by participants)
ID: 41809611
If you use a CA on your network to generate the certificate, non-domain joined clients that attempt to connect to Exchange will get a certificate error because they don't trust your CA. The CA certificate is deployed to Domain members by default, so computers on your domain will trust the CA, but if the computer isn't part of your domain, there's no way for the computer/device to know that it's okay to trust certificates generated by your CA, so they'll pop up a warning. You can resolve this by installing the Root CA certificate as a trusted third party certificate on any non-domain devices that access exchange (The instructions are above), but this can be a huge amount of work for you and your users if there are a lot of people who use the server.

I would estimate that the average support call to resolve this situation would take about 15 minutes at a minimum, so multiply that by the number of non-domain systems that will access your Exchange server, figure out how many hours that adds up to, then multiply that by how much your hourly wage is (plus the wages of any employees involved) and you start to realize that the $99 a year or so for a Certificate from Godaddy or somewhere similar becomes a pretty good deal.

In short, you're better off getting the Exchange certificate from a Third Party CA than you are generating your own.
LVL 30

Assisted Solution

by:Scott C
Scott C earned 100 total points (awarded by participants)
ID: 41809643
You are going to continue to have cert issues until you purchase a valid cert from a trusted vendor.  The company I work for uses GoDaddy.

I use the following command to check my certs.

Get-ExchangeCertificate | fl

Buy your cert, install it and move on to bigger and better things.
LVL 15

Accepted Solution

Todd Nelson earned 100 total points (awarded by participants)
ID: 41809808
With an internally issued CA cert, you will have to install the cert on every computer that is not domain joined, and don't get me started on other remote devices (i.e. phones) .  Unless, it's for a test environment, internal CA certs are not recommended for Exchange in production.

Pls do not advice to get a certificate from GoDaddy or a SAN.

Blah, blah, blah.

Get a UCC/SAN certificate from Digicert, Comodo, Certificates for Exchange, etc. and your worries with unneccessary tail-chasing are over.  For simplicity sake, get a cert from a publicly trusted CA.

You can find a UCC/SAN cert that will cost anywhere from $49.99/yr and up.  Your time is worth more than $50, isn't it?

Author Comment

ID: 41810192
The customer worked for years without any Commercial certificate. How should i explain him that now he Needs 50$ ? From my sight it would be also the best choice.

Author Comment

ID: 41810233
Thank you so much
LVL 25

Expert Comment

ID: 41838076
All of the posts were helpful and can be closed this thread.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question