Checktls.com fails on cert check Exchange 2010 SP2 RU23 with TLS

I have a single Exchange 2010 SP3 with RU23 installed. All the roles are running on the 1 server. I have enabled TLS 1.2 and used IIS Crypto  2.0 and set best practices. Qualys SSL Labs scan give an A rating. However checktls.com fails on the cert test. The  exchange server has 2 certs the default  self signed and a public UUC SAN from GoDaddy. The checktls.com test is only seeing the default cert and is failing because it does not match the public name.  Here is the piece of the checktls output:

 Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate
  This may help: What Is An Intermediate Certificate
  So email is encrypted but the recipient domain is not verified
  Cert Hostname DOES NOT VERIFY (webmail.domain.org != Exchsrvr | DNS:Exchsrvr | DNS:Exchsrvr.domain.local)
  So email is encrypted but the host is not verified

The default exchange cert has SMTP service assigned and the Public Cert has IMAP,POP,IIS,SMTP services assigned.

The company that is requiring Forced TLS says email cannot go forward until this checktls cert error is resolved.

How do I resolve this issue?
Sam MartinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
that checktls test really shouldn't have any bearings on if emails are encrypted or not. if that company wants forced encryption to can setup. send connector for that company domain and force encryption so that all emails going to that company will be forced encryption. exchange will always send encrypted if the recipient accepts encrypted emails. it kills me how companies try to require one company to do this, but again you can force encryption  and verify the email was sent via TLS. Is your name space found on the 3rd party cert and also the virtual directories on your exchange servers.
0
Sam MartinAuthor Commented:
I removed the check on  the permission tab on the Default SERVERNAME receive connector for Anonymous and then set the IPv4 range to my local network. Next I created a new receive connector, set  the FQDN to the MX record name which matches the 3rd party certificate common name, enabled it for Anonymous in the permission group and set the network to All Available IPv4. Now checktls.com gets the correct certificate and can verify the certificate host name and create a TLS connection using the correct certificate.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.