Checktls.com fails on cert check Exchange 2010 SP2 RU23 with TLS
I have a single Exchange 2010 SP3 with RU23 installed. All the roles are running on the 1 server. I have enabled TLS 1.2 and used IIS Crypto 2.0 and set best practices. Qualys SSL Labs scan give an A rating. However checktls.com fails on the cert test. The exchange server has 2 certs the default self signed and a public UUC SAN from GoDaddy. The checktls.com test is only seeing the default cert and is failing because it does not match the public name. Here is the piece of the checktls output:
Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate
This may help: What Is An Intermediate Certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY (webmail.domain.org != Exchsrvr | DNS:Exchsrvr | DNS:Exchsrvr.domain.local)
So email is encrypted but the host is not verified
The default exchange cert has SMTP service assigned and the Public Cert has IMAP,POP,IIS,SMTP services assigned.
The company that is requiring Forced TLS says email cannot go forward until this checktls cert error is resolved.
How do I resolve this issue?
Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate
This may help: What Is An Intermediate Certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY (webmail.domain.org != Exchsrvr | DNS:Exchsrvr | DNS:Exchsrvr.domain.local)
So email is encrypted but the host is not verified
The default exchange cert has SMTP service assigned and the Public Cert has IMAP,POP,IIS,SMTP services assigned.
The company that is requiring Forced TLS says email cannot go forward until this checktls cert error is resolved.
How do I resolve this issue?
that checktls test really shouldn't have any bearings on if emails are encrypted or not. if that company wants forced encryption to can setup. send connector for that company domain and force encryption so that all emails going to that company will be forced encryption. exchange will always send encrypted if the recipient accepts encrypted emails. it kills me how companies try to require one company to do this, but again you can force encryption and verify the email was sent via TLS. Is your name space found on the 3rd party cert and also the virtual directories on your exchange servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.