Solved

PCI Compliance - Self signed cert Exchange 2013

Posted on 2016-10-07
12
71 Views
Last Modified: 2016-11-15
Hello

we are just in the middle of a PCI Compliance test an we are failing on a few things, of them being we are using a self signed certificate, i guess its the one that Exchange creates when its installed.

We have a 3rd party assigned SSL certificate installed aswell

Can i remove the self signed cert safely?

The self signed cert is currently assigned to SMTP & IIS although these are greyed out

The SSL cert is assigned to SMTP,IMAP,POP & IIS (although they are also greyed out)

thanks
0
Comment
Question by:mudcow007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 41833359
No don't uninstall the self-signed, there is no need to do so

if you have a 3rd party and it is well configured it is the one that should be assigned to IIS and that should solve your problem
2
 

Author Comment

by:mudcow007
ID: 41833413
Thanks Akhater

How do i know if the 3rd part cert is assigned to IIS?

many thanks
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41833416
Get-ExchangeCertificate what is the output
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mudcow007
ID: 41833433
It shows thumbprints of all current certs and which services they are attached to and "subject"
cert.png
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41833438
yes the public one is enabled for IIS I really doubt that is your issue since it is also enabled for SMTP

what is the PCI compliance failure exactly is ?
0
 

Author Comment

by:mudcow007
ID: 41833499
The actual failure is:

SSL Self Signed Certificate : The SSL certificate chain for this certificate ends in an unrecognised self signed certificate

I will run the PCI test again to confirm the error

thanks
0
 
LVL 19

Expert Comment

by:suriyaehnop
ID: 41833571
The exchange self signed used by exchange for authentication each others and will not enable for smtp by default.

The public certificate shall enable by smtp,pop,imap,iis one installation complete
0
 
LVL 15

Expert Comment

by:Todd Nelson
ID: 41833769
Every self-signed certificate is assigned SMTP and SMTP cannot be unassigned from the cert.  It's a default setting.

self-signed-cert.png
However, if the FQDN names of the servers are in the certificate issued by a public CA, the original self-signed certificate(s), that was replaced by the public certificate, can be safely removed.

But like Akhater stated, you don't need to remove the self-signed certificates.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41833903
I don't have experience with the pci compliance test but I guess it connects to a url?? Which url is it connecting to?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 41834055
You cannot run an Exchange server without a self signed SSL certificate.
For Exchange to work correctly it needs an SSL certificate on the SMTP function which matches the internal name of the Exchange server.

However no commercial SSL provider will issue SSL certificates to internal only names. Therefore you have to use a self signed certificate for the SMTP role, with the trusted certificate on the IIS, POP and IMAP roles.
0
 
LVL 15

Expert Comment

by:Todd Nelson
ID: 41834065
Simon,

Correct.  I was wrong to assume everyone would know I was referring to the server names might actually be a routable name like server1.contoso.com and not server1.contoso.local.
0
 

Author Closing Comment

by:mudcow007
ID: 41888206
Thank you I was unaware of that

Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question