<div>
Yes, basically adding the new self signed did nothing.<br />
You need to make sure the IIS and SMTP services are on the New 3rd party certificate.<br />
<br />
And you just need to make sure that the internal Entry points (SCPs are the same and match your name in OWA).<br />
How should you do this?<br />
Well, you can go to the site and do one by one or just run a script to solve this:<br />
<br />
1st Use the script with the option -get<br />
<a href="https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b" rel="ugc nofollow">https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b</a><br />
<br />
2nd use it with the Option -set -urlpath &quot;https://owa.domain.com&quot;<br />
<br />
This was part of the job that the person with the 3rd party certificate install does.
</div>


<div>
Thanks! Where do I set the -set -urlpath? For clarification: if I go to <a href="https://webmail.contoso.nl/owa" rel="ugc">https://webmail.contoso.nl/owa</a>&nbsp;from the internet it works. But the clients that have outlook internally get a error that the certificate is nog valid. When I view this certificate it's the third party certificate that we used for the external URL webmail.contoso.nl/owa. But that must be changed to the internal self signed certificate that I created.
</div>


<div>
<pre><code class="code-1 nolinks" id="code-20-42716584-1"><span>Get-ExchangeCertificate | fl Issuer,CertificateDomains</span>
<span>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri</span>
<span>Get-OabVirtualDirectory |  fl Server,Identity,internalurl,externalurl</span>
<span>Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl</span>
</code></pre>
</div>


<div>
have you enabled self signed certificate with ISS ,SMTP,IMAP ..etc ?
</div>


<div>
Also, an exchngrcertificate has to have the corresponding SAN. &nbsp;When viewing the certificate do check SAN (subject alternative names) details .
</div>


<div>
To be clear, the only way to use a self signed cert is to import the issuer chain into every tool you use.<br />
<br />
Or to serve the issuing cert via a specific URL. You'll have to lookup how to do this.<br />
<br />
Far easier, use <a href="https://LetsEncrypt.org" rel="ugc"><u>https://LetsEncrypt.org</u></a> certs as all tools (browser, mail clients, etc...) contain the LE issuer chain as a valid cert issuing authority.<br />
<br />
Use LE cert + your problems will either simplify or completely resolve.
</div>


<div>
Well <br />
if you have <br />
DomA.com<br />
and <br />
DomB.com<br />
<br />
you need just 2 SAN for each<br />
for DomA: (autodiscover.DomA.com and webmail.DomA.com)<br />
and for DomB (autodiscover.DomB.com and webmail.DomB.com)<br />
<br />
So the registry would be any of those 2.<br />
Autodiscover.domA.com (Internally) to resolve to the ip of the server<br />
and you can create a webmail on domA.com as a Cname or another A record to Autodiscover (or vice-versa, create the webmail, and then create the Cname record to webmail, this is the approach I always Use).<br />
<br />
If you just have one wildcard certificate, then you would need to use the SRV method.<br />
<br />
Abut the PowerShell script, to run the script: open an elevated PS console (how? open windows start menu on the server, then exchange PowerShell console, right click open as administrative privileges), then run<br />

<pre><code class="code-1 nolinks" id="code-20-42716656-1"><span>set-executionpolicy unrestricted</span>
</code></pre>
then accept the message<br />
<br />
you can close that console and open a regular one<br />
Navigate where you saved your script using cd<br />

<pre><code class="code-1 nolinks" id="code-20-42716656-2"><span>cd C:\users\me\Downloads</span>
<span>#and run it</span>
<span>.\SetScp.ps1 -GET</span>
<span>#the parameter is what goes after the name of the script.</span>
<span>#on the SET parameter would be:</span>
<span>.\SetScp.ps1 -set -urlpath &quot;https://webmail.contoso.nl/owa&quot;</span>
</code></pre>
<br />
We aren't clear in what is your environment, what you have and what do you want to do.
</div>


<div>
your autodiscover URL should be the .nl address, not .local<br />
that is why you get a certificate error<br />
change that autodiscover address to match the external address and that will fix it<br />
you can't use .local externally, so .nl should be used for both and match the name used in the certificate
</div>


<div>
I already tried that without any luck. The problem is that I have external domain certificate for webmail.delmo.nl. Because it's a domain certificate I can only use this url. So the autodiscover must use a internal self signed certificate. But the problem now is when I start Outlook locally it points to the external certificate but must be pointing tot the internal self signed certificate that I have created.
</div>


<div>
Also, the strange thing is that the AutoDiscoverServiceUri stays empty if I change it:<br />
<br />
<a href="https://filedb.experts-exchange.com/incoming/2018/10_w43/1396719/Knipsel.PNG" target="_blank" title="Knipsel.PNG (17 KB)"><img alt="Knipsel.PNG" class="file-block lazyload" style="max-width: 800px;" data-src="https://filedb.experts-exchange.com/incoming/2018/10_w43/800_1396719/Knipsel.PNG" /></a>
</div>


Knipsel.PNG

<div>
Hi Emiel Zwart,<br />
Please check this article to fix the certificate error. If not fixed please let me know.<br />
<a href="https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html?headerLink=workspace_article" rel="ugc">https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html?headerLink=workspace_article</a>
</div>


Service Manager

Engineer

Emiel Zwart

<div>
InternalUrl Look like this &nbsp;: <a href="https://leexchange.deleede.local" rel="ugc">https://leexchange.deleede.local</a><br />
ExternalUrl Look Like this : <a href="https://webmail.delmo.nl" rel="ugc">https://webmail.delmo.nl</a><br />
<br />
so AutoDiscoverService should look like this : &nbsp;s<a href="https://webmail.delmo.nl/autodiscover/autodiscover.xml" rel="ugc">https://webmail.delmo.nl/autodiscover/autodiscover.xml</a>
</div>


<div>
Everything works. Looks like I'v had to put a scope definition after the command set-clientaccesserver. Thanks for the effort!
</div>


<div>
<div class="content wysiwyg-content">
We have Exchange 2010 server and someone has installed a third party certificate on the exchange server so we have a legit webmail url (owa). This works without any problems but the internal users now have &nbsp;the problem that when outlook starts they get a certificate error message that the certificate is not trusted. And if they click on 'view certificate' they see the third party certificate. So it looks like all the services are assigned to that third party certificate.<br />
<br />
So I have created a new self signed exchange certificate and moved the services SMTP, IMAP &amp;&nbsp;POP and rebooted the server. But the clients are still getting this error. Do I missing something?
</div>
</div>


We have Exchange 2010 server and someone has installed a third party certificate on the exchange server so we have a legit webmail url (owa). This works without any problems but the internal users now have  the problem that when outlook starts they get a certificate error message that the certificate is not trusted. And if they click on 'view certificate' they see the third party certificate. So it looks like all the services are assigned to that third party certificate.

So I have created a new self signed exchange certificate and moved the services SMTP, IMAP & POP and rebooted the server. But the clients are still getting this error. Do I missing something?

Certificate Error when Outlook starts

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.