Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Exchange certificate error/setup
OK, I am pretty new to exchange, and I hate certificates. Not a total newb but don't skip the obvious please. Additionally, I am picking up this system from old admins that left on bad terms.
The core problem is this. On setting up a new user on a new computer, I receive a certificate error. I can skip it and it will run through, but my users freak out, and I do not want to teach them to ignore these warnings, so I need to get it fixed.
The Error is
The certificate is
From this, it appears that the Mailserver.domain.com is using a self signed cert, and is also SHA1.
The environment is like this
The Root CA does not have a website I can download the root cert from (broken?)
The Sub CA does and appears to be working
There are a bunch of certificates on all 3 exchange mail servers, most all are self signed I THINK
Only listing the certs in the exchange MMC IIS console;
MailServer.domain.com
ex-mail1
exmail2
There ones listed in the web admin page are similar, only excluding the one that is expired.
There are so many, few to none match. No rhyme or reason.
I THINK I need to add a good cert from the Sub CA, and then remove the bad certs. But this is a production box, and I am worried about removing certs that haven't expired, bad past experiences.
I guess I am asking for some guidance in cleaning up this mess.
The core problem is this. On setting up a new user on a new computer, I receive a certificate error. I can skip it and it will run through, but my users freak out, and I do not want to teach them to ignore these warnings, so I need to get it fixed.
The Error is
The certificate is
From this, it appears that the Mailserver.domain.com is using a self signed cert, and is also SHA1.
The environment is like this
The Root CA does not have a website I can download the root cert from (broken?)
The Sub CA does and appears to be working
There are a bunch of certificates on all 3 exchange mail servers, most all are self signed I THINK
Only listing the certs in the exchange MMC IIS console;
MailServer.domain.com
ex-mail1exmail2There ones listed in the web admin page are similar, only excluding the one that is expired.
There are so many, few to none match. No rhyme or reason.
I THINK I need to add a good cert from the Sub CA, and then remove the bad certs. But this is a production box, and I am worried about removing certs that haven't expired, bad past experiences.
I guess I am asking for some guidance in cleaning up this mess.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
You can use your own CA. That's fine. Verisign is another one. Just make sure they are reputable and provide good instructions for installing the cert they sell you in Exchange.
Once you have a valid cert installed from the CA, your users will be able to access their email from outside of the office.
Also,
Do I need a separate cert for all three servers, a wildcard cert, or one cert with three names. What are the names? It appears that I need the servername(3), clustername(1), WMSVC (3), and autodiscovery(3). You can see where I am getting confused since there are so many :(
Do I need a separate cert for all three servers, a wildcard cert, or one cert with three names. What are the names? It appears that I need the servername(3), clustername(1), WMSVC (3), and autodiscovery(3). You can see where I am getting confused since there are so many :(
View the certificate when you see the popup and look at the cert to see if it is valid .. .also look at the certification path tab.
Are each one of those installed on each machine?
get-exchangecertificate -server XYZ | FT -auto
will show you which certificate (thumbprint) is assigned to Web (w) which is primarily the one we are dealing with here.
A cheap comodo certificate (with autodiscover.contoso.com and whateveryourOWA.contoso.co
I use: https://ssl2buy.com/
you need the UCC/SAN certificate
Are each one of those installed on each machine?
get-exchangecertificate -server XYZ | FT -auto
will show you which certificate (thumbprint) is assigned to Web (w) which is primarily the one we are dealing with here.
A cheap comodo certificate (with autodiscover.contoso.com and whateveryourOWA.contoso.co
I use: https://ssl2buy.com/
you need the UCC/SAN certificate
i certificate UCC/SAN
what version of Exchange
https://practical365.com/exchange-server/create-ssl-certificate-request-exchange-2013/
what version of Exchange
https://practical365.com/exchange-server/create-ssl-certificate-request-exchange-2013/
A CA by default is trusted by the world. That's why a CA is a Certificate Authority.
Run the above command I gave you, look at the results. In there you should see the SANs you need to have put in your cert.
If your CA isn't trusted by the world, then you need to find one that is. Verisign, GoDaddy, etc.
One cert installed on each server, you don't need one for each machine.
A wildcard cert will work but that can have its own configuration challenges.
Run the above command I gave you, look at the results. In there you should see the SANs you need to have put in your cert.
If your CA isn't trusted by the world, then you need to find one that is. Verisign, GoDaddy, etc.
One cert installed on each server, you don't need one for each machine.
A wildcard cert will work but that can have its own configuration challenges.
OK, I am ready to start pushing buttons, but I am nervous about this, as I have little xp with exchange. I have no fear of running the PS commands, but How can I "quiesce " one of the servers so as not to impact it? Also, how can I connect to 1 of them specifically to see if my fix works??
I called MS. I am getting a walk through. there are some problems with SHA1, Domain smart card, and the cert now needs to be public, not local. I will try and post my resolution at the end
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
So I called MS, and there was a LOT of command line and cert clean up, to much to mention. My one take away from this was that exchange certificates are at hart just IIS certs, attached to exchange services via command.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
You need a trusted cert from a CA.
The command you want to run is Get-ExchangeCertificate | fl > c:\cert\cert.txt
Make sure you have a folder called "cert" on your C drive.
Get the trusted cert, install it, and this should take care of your issues.
Be sure to get a SAN cert with the names you need...example....mail.ser
When you run the command I gave, you will be able to tell which ones are self-signed very easily.