mudcow007
asked on
PCI Compliance - Self signed cert Exchange 2013
Hello
we are just in the middle of a PCI Compliance test an we are failing on a few things, of them being we are using a self signed certificate, i guess its the one that Exchange creates when its installed.
We have a 3rd party assigned SSL certificate installed aswell
Can i remove the self signed cert safely?
The self signed cert is currently assigned to SMTP & IIS although these are greyed out
The SSL cert is assigned to SMTP,IMAP,POP & IIS (although they are also greyed out)
thanks
we are just in the middle of a PCI Compliance test an we are failing on a few things, of them being we are using a self signed certificate, i guess its the one that Exchange creates when its installed.
We have a 3rd party assigned SSL certificate installed aswell
Can i remove the self signed cert safely?
The self signed cert is currently assigned to SMTP & IIS although these are greyed out
The SSL cert is assigned to SMTP,IMAP,POP & IIS (although they are also greyed out)
thanks
ASKER
Thanks Akhater
How do i know if the 3rd part cert is assigned to IIS?
many thanks
How do i know if the 3rd part cert is assigned to IIS?
many thanks
Get-ExchangeCertificate what is the output
ASKER
It shows thumbprints of all current certs and which services they are attached to and "subject"
cert.png
cert.png
yes the public one is enabled for IIS I really doubt that is your issue since it is also enabled for SMTP
what is the PCI compliance failure exactly is ?
what is the PCI compliance failure exactly is ?
ASKER
The actual failure is:
SSL Self Signed Certificate : The SSL certificate chain for this certificate ends in an unrecognised self signed certificate
I will run the PCI test again to confirm the error
thanks
SSL Self Signed Certificate : The SSL certificate chain for this certificate ends in an unrecognised self signed certificate
I will run the PCI test again to confirm the error
thanks
The exchange self signed used by exchange for authentication each others and will not enable for smtp by default.
The public certificate shall enable by smtp,pop,imap,iis one installation complete
The public certificate shall enable by smtp,pop,imap,iis one installation complete
Every self-signed certificate is assigned SMTP and SMTP cannot be unassigned from the cert. It's a default setting.
However, if the FQDN names of the servers are in the certificate issued by a public CA, the original self-signed certificate(s), that was replaced by the public certificate, can be safely removed.
But like Akhater stated, you don't need to remove the self-signed certificates.
However, if the FQDN names of the servers are in the certificate issued by a public CA, the original self-signed certificate(s), that was replaced by the public certificate, can be safely removed.
But like Akhater stated, you don't need to remove the self-signed certificates.
I don't have experience with the pci compliance test but I guess it connects to a url?? Which url is it connecting to?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Simon,
Correct. I was wrong to assume everyone would know I was referring to the server names might actually be a routable name like server1.contoso.com and not server1.contoso.local.
Correct. I was wrong to assume everyone would know I was referring to the server names might actually be a routable name like server1.contoso.com and not server1.contoso.local.
ASKER
Thank you I was unaware of that
Thanks
Thanks
if you have a 3rd party and it is well configured it is the one that should be assigned to IIS and that should solve your problem