exchange server 2010

Hi All

I am in the process having exchange 2003 and  and exchange 2010 in co existence. All configurations have been done. After testing connections i found the error below
Your connection is not private ERR_CERT_AUTHORITY_INVALID
What do i have to do tpo get it to work

We will use the following
outlook anywhere
exchange web services
active sync
outlook web app
ecp
owa directory

Do i have to buy a certificate? If so which one. We will be adding a new domain to our exchange server as well

Appreciate a feedback
Member_2_6474242Senior Systems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

viktor grantExchange ServersCommented:
Hi,

It is always better to buy a  third party certificate. Third party certificate are more secure, all machines will trust without needing to apply rules, gpo... more secure. They are are "universally" accepted. Internal certificate or self-signed certificate are created by their own Root CA but it will not be trusted.

https://technet.microsoft.com/en-us/library/mt441782(v=exchg.150).aspx

Cheers
1
Zaheer IqbalTechnical Assurance & ImplementationCommented:
The certificate error: ERR_CERT_AUTHORITY_INVALID  suggest that the Certificate Authority that issued your Exchange certificate does not exist (i.e: it is a self signed certificate), was created by a Trusted Certificate Authority but you do not have that Certificate Authorities root certificate installed  in Windows if using IE, OR it is from a Certificate Authority that has had it's root certificates revoked or the root certificate has expired.

The most likely of these being it is a self signed certificate generated by Exchange itself.  If you intend to use OWA over the internet then you need to get a certificate from a trusted certificate authority
Ensure you get a certificate suitable for Exchange use.
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
In simple plain words.
if you have a valid certificate in 2003: then you just have to export it and import it in the 2013 server.
If you don't have it, you need to Pay for one, like wildcard from namecheap for your domain for 99$, you'd need to create the Request from the server, then give it to the site (namecheap,goddady,whatever) then it will give you a certificate file and you are going to use to set the certificate as valid in your server (export it to 2003). and finally, enable services, reset IIS and set the certificate in IIS for your domain in the Backend site, for a reason exchange always have issues putting a new cert in the backend site.
1
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

RoninCommented:
You need a UCC SAN type certificate (multi-FQDN basically) and the request can be generated anywhere you like.
Why multi-FQDN? Because you probably would want people to connect to Exchange from outside world, this would require autodiscover.domain.com on the cert, along with generic mail server name, such as mail.domain.com

Wildcard would also work.
1
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You can also use https://LetsEncrypt.org as they've been offering free ones for years now.
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
where can i check in exchange 2003 if i have a certificate which can be used in exchange 2010
0
RoninCommented:
1. Open a Command Prompt window.
2. Type mmc and press the ENTER key. Note that to view certificates in the local machine store, you must be in the Administrator role.
3. On the File menu, click Add/Remove Snap In.
4. Click Add.
5. In the Add Standalone Snap-in dialog box, select Certificates.
6. Click Add.
7. In the Certificates snap-in dialog box, select Computer account and click Next.
8. In the Select Computer dialog box, click Finish.
9. In the Add Standalone Snap-in dialog box, click Close.
10. On the Add/Remove Snap-in dialog box, click OK.
11. In the Console Root window, click Certificates (Local Computer) to view the certificate stores for the computer.

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Hi Jose you mentioned
if you have a valid certificate in 2003: then you just have to export it and import it in the 2013 server.

How can i check if i have one. If so how can i put it to exchange2010
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
well check your owa address, and check if you have certificate issues or not, use the public address. Then hit F12 and check the security of your browser.
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Hi All

I have put in ssl certificate and i am unable to browse
outlook anywhere
exchange web services
active sync
outlook web app
ecp
owa directory

The error says Your connection is not private ERR_CERT_COMMON_NAME_INVALID
Any suggestions
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
0
Zaheer IqbalTechnical Assurance & ImplementationCommented:
What does your certificate look like ?
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Hi Zaheer

please explain what you mean? i don't get you
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Your error is that you don't have correctly set the SSL.
what steps did you follow=?
0
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Take a screen shot of your cert. What is certificate name mail.domain.com ?
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
mail.iss.school.fj
cert.docx
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
HI Jose what are the correct steps to follow
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Well the steps would be 1st make sure that all your entry points on exchange have the Public Name (mail.iss.school.fj)

1 Matching internal FQDN to the one in the certificate
  a. Local DNS Changes
  If the local domain is "school.fj" , then you need to clear any name using "iss" as cname or anything. so you can define the zone (iss.school.fj) where you are putting a A entry to the server.   (Sub-Sub-Domain.fj what makes it more complicated than just sub.domain.fj)

  b Public Dns changes.
Create 1 A record to: mail.iss.school.fj in school.fj
Create a Cname record to autodiscover.iss.school.fj
Not sure because we don't know if you added the autodiscover.iss.school.fj as a SAN (Subject Alternative Name), that is seem in the Certification Path tab in the "Subject alternative Names" in your certificate.
If it just has 1 name, you can use DNS SRV to make autodiscover to work and in the future 2019, make sure to buy a certificate with at least 2 Validation names (autodiscover.domain.com and mail.domain.com).
Make sure to have the MX into that domain.

 b. Create autodiscover record to :  autodiscover.iss.school.fj.

2.  Run the script: https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b
  a Option -get, to get the initial configuration of the whole infrastructure (all urls internals and externals).
  b -set -urlpath "https://mail.iss.school.fj", this will set everything for you, internals urls and externals.

3. Now just make sure that in IIS the internal and the external binding for port 443 is actually the same certificate in the front end and in the backend.

After all that you should be receiving and sending emails, now just will be left to put the SPF record
https://www.spfwizard.net
And enable and install DKIM and DMARC records in public DNS.

And finally test the Dkim, SPF and Dmarc config
http://www.appmaildev.com/en/dkim

if there is any firewall should be open and redirected to the local address of the exchange server and the correct address
https://mail.iss.school.fj those are the steps I'd follow.

https://testconnectivity.microsoft.com

make sure that all external access are aimed to the Newest version of exchange always in coexistence.
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
thanks to all
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.