Exchange server 2016 certificate

Actually i have installed Exchange Server 2016 CU8 and Existing 2010 exchange available. After i test some user mailbox migration to 2016, it prompt for certificate issue.
"The name on the security certificate is invalid or does not match the name of the site."
 Even it prompts several times.This is error prompt several times.
I had exported both internal and public Wild Certificate from Exchange 2010 and Imported to Exchange 2016.  It shows error4.pngWhat can be done??
Binod MaharjanMicrosoft Support OfficerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

systechadminConsultantCommented:
well, for exchange recommended external certificate is SAN certificate. included domain names should be:

Mail.domain.com - exch 2016 (owa)
legacy.domain.com - exch 2010 (owa)
autodiscover.domain.com
casarray.domain.com in case of exch2010


your certificate should be generated from exch2016

No need to assign internal certificates.
0
timgreen7077Exchange EngineerCommented:
Wildcard cert isn't recommended for exchange. It's recommended UCC SAN cert with the name space you require for autodiscover and OWA.
0
Binod MaharjanMicrosoft Support OfficerAuthor Commented:
yes i understand Exchange Server 2016 recommended SAN Certificate but  organization's has used Wild Card and  renewed just gone 2 months.
So, i guess if wild card certificate gets solution for this.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

timgreen7077Exchange EngineerCommented:
what's the SAN alternate name on the wild card cert. the common name is *.domain.com so the SAN alternate should be the name that your outlook clients are attempting to connect to such at mail.domain.com. I have never used a wild card cert for exchange but other than the common name I would think the SAN name would need to be the name space you are using for client connectivity.
0
MAS (MVE)EE Solution GuideCommented:
Your exported certificate from Exchange2010 would be enough if you have 2 names.
You need only 2 names in your certificate. i.e. autodiscover.emaildomain.com and commonname.emaildomain.com.
Your A Records (autodiscover.emaildomain.com and commonname.emaildomain.com) should point to Exchange 2016. Exchange 2016 will do proxying/redirecting to Exchange2010.
Exchange 2010 uses different protocol and once a client connected then it will not use Exchange2010 for clinet connectivity.
Please check this article. This should fix your outlook certificate error.
https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-certificate-and-related-issues.html
You can use this if you want to regenerate/rekey certificate easily.
https://www.experts-exchange.com/articles/28662/Easy-CSR-creation-Exchange-2007-2010-and-2013.html
For OWA you will use the same URL of Exchange2016 and Exchange is responsible to redirect/proxy to Exchange2010.
CAS Array name/FQDN (Exchange2010) should not be included in the certificate.
Hope this will clear your doubts and clear your certificate error.

Thanks
MAS
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MAS (MVE)EE Solution GuideCommented:
@Gaurav Sign
-->i.e.legacy.domain.com - exch 2010 (owa)  
Legacy name is used only when migrating from Exchange2007 to later versions. Exchange 2010 and 2013 doesn't require legacy name/URL as Exchange 2013/2016 will proxy the request to Exchange2010.
https://blogs.technet.microsoft.com/exchange/2015/10/26/client-connectivity-in-an-exchange-2016-coexistence-environment-with-exchange-2010/


-->casarray.domain.com in case of exch2010
CAS array name is not required in certificate.
https://blogs.technet.microsoft.com/exchange/2012/03/23/demystifying-the-cas-array-object-part-1/

your certificate should be generated from exch2016
You can use any certificate issued which has common name and autodiscover. Exchange 2010 certificate can be used in Exchange 2016 and vice-versa.

Please correct me if I am wrong.

Thanks
MAS
1
systechadminConsultantCommented:
MAS, you are right. I went away in other direction thought about the migration scenario
1
MAS (MVE)EE Solution GuideCommented:
Gaurav,
Thanks for being on board.

MAS
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.