We help IT Professionals succeed at work.

Exchange certificate error/setup

232 Views
Last Modified: 2018-02-22
OK, I am pretty new to exchange, and I hate certificates.  Not a total newb but don't skip the obvious please.  Additionally, I am picking up this system from old admins that left on bad terms.

The core problem is this.  On setting up a new user on a new computer, I receive a certificate error.  I can skip it and it will run through, but my users freak out, and I do not want to teach them to ignore these warnings, so I need to get it fixed.


The Error is
Cert Error
The certificate is
error2
From this, it appears that the Mailserver.domain.com is using a self signed cert, and is also SHA1.

The environment is like this
layoutmailservers
The Root CA does not have a website I can download the root cert from (broken?)
The Sub CA does and appears to be working

There are a bunch of certificates on all 3 exchange mail servers, most all are self signed I THINK  

Only listing the certs in the exchange MMC IIS console;
MailServer.domain.com
certs1ex-mail1
ex-mail1exmail2
exmail2
There ones listed in the web admin page are similar, only excluding the one that is expired.

There are so many, few to none match.  No rhyme or reason.  

I THINK I need to add a good cert from the Sub CA, and then remove the bad certs.  But this is a production box, and I am worried about removing certs that haven't expired, bad past experiences.


I guess I am asking for some guidance in cleaning up this mess.
Comment
Watch Question

Scott CSenior Engineer
CERTIFIED EXPERT

Commented:
Get a cert from a CA....GoDaddy is a good one.  They also have excellent instructions on how to install.

You need a trusted cert from a CA.

The command you want to run is Get-ExchangeCertificate | fl > c:\cert\cert.txt

Make sure you have a folder called "cert" on your C drive.

Get the trusted cert, install it, and this should take care of your issues.

Be sure to get a SAN cert with the names you need...example....mail.server.com, owa.server.com, autodiscover.server.com, etc.

When you run the command I gave, you will be able to tell which ones are self-signed very easily.
Lofty WormIT Manager
CERTIFIED EXPERT

Author

Commented:
What if I want to use my own CA.  People can't access there work email from outside the office
Scott CSenior Engineer
CERTIFIED EXPERT

Commented:
You can use your own CA.  That's fine.  Verisign is another one.  Just make sure they are reputable and provide good instructions for installing the cert they sell you in Exchange.
Scott CSenior Engineer
CERTIFIED EXPERT

Commented:
Once you have a valid cert installed from the CA, your users will be able to access their email from outside of the office.
Lofty WormIT Manager
CERTIFIED EXPERT

Author

Commented:
But my CA is not trusted by the world.
Lofty WormIT Manager
CERTIFIED EXPERT

Author

Commented:
Also,
Do I need a separate cert for all three servers, a wildcard cert, or one cert with three names.  What are the names?  It appears that I need the servername(3), clustername(1), WMSVC (3), and autodiscovery(3). You can see where I am getting confused since there are so many :(
K B

Commented:
View the certificate when you see the popup and look at the cert to see if it is valid .. .also look at the certification path tab.  

Are each one of those installed on each machine?


get-exchangecertificate -server XYZ | FT -auto

will show you which certificate (thumbprint) is assigned to Web (w) which is primarily the one we are dealing with here.

A cheap comodo certificate (with autodiscover.contoso.com and whateveryourOWA.contoso.com)  can make life so much easier.. you dont have to dole out certs to your clients.  You dont want your DNS for OWA and autodiscover (and the other vdirs) to point to server names but if you absolutely have to do that then include the names in a UCC/SAN cert... it's like $45 bucks

I use: https://ssl2buy.com/ 

you need the UCC/SAN certificate
Scott CSenior Engineer
CERTIFIED EXPERT

Commented:
A CA by default is trusted by the world.  That's why a CA is a Certificate Authority.

Run the above command I gave you, look at the results.  In there you should see the SANs you need to have put in your cert.

If your CA isn't trusted by the world, then you need to find one that is.  Verisign, GoDaddy, etc.

One cert installed on each server, you don't need one for each machine.

A wildcard cert will work but that can have its own configuration challenges.
Lofty WormIT Manager
CERTIFIED EXPERT

Author

Commented:
OK, I am ready to start pushing buttons, but I am nervous about this, as I have little xp with exchange.  I have no fear of running the PS commands, but How can I "quiesce " one of the servers so as not to impact it?  Also, how can I connect to 1 of them specifically to see if my fix works??
Scott CSenior Engineer
CERTIFIED EXPERT

Commented:
Installing a cert from GoDaddy is easy.  Just follow their directions.

How did things go?
IT Manager
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Lofty WormIT Manager
CERTIFIED EXPERT

Author

Commented:
So I called MS, and there was a LOT of command line and cert clean up, to much to mention.  My one take away from this was that exchange certificates are at hart just IIS certs, attached to exchange services via command.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions