Link to home
Start Free TrialLog in
Avatar of Damian Gardner
Damian Gardner

asked on

Need help adding an FQDN to a security certificate.

Need help identifying WHICH certificate is causing the Outlook certificate error "Name on the security certificate is invalid or does not match the name of the site" - and then how to add our Exchange server's FQDN to it, so it's no longer invalid.

So the name that is causing the error in Outlook is specifying the FQDN of our Exchange server, which is "exchange.lacoinc1.local" - that's what is named at the top of the certificate error.  So where is the certificate that I need to add this FQDN to?  

 I read that the fix is the following:

 "•Add the domain.com to your Public Facing Website’s certificate.  That way, Outlook makes a successful connection to https://domain.com, determines it’s not Exchange, and will fallback to attempting autodiscover via https://autodiscover.domain.com.  (Preferred Option for obvious secure reason)

Thank you!
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Joseph Nyaema
Joseph Nyaema
Flag of Kenya image
Sembee has done some excellent work on Exchange, but there still somethings you'll need to figure out for yourself.

My guess is you are using the default self-signed certificate that comes with Exchange. I am also assuming that you probably don't want to buy a third party certificate, or you probably didn't know you needed it.

So, assume not third-party SSL:

  1. You'll need to still an internal Certificate Authority (CA) - not installed by default on windows server: Need this to generate your own certificates for internal use, if you can buy your thrid-party.
  2. DNS - installed by default if the process installing AD doesn't find one: You probably need to add your external domain (e.g .com) to your in addition to your .local domain
  3. Latest dotNet framework, believe this 4.72 as I'm writing: This to allow your exchange to use the new TLS cipher suites and protocols( TLS 1.1. 1.2), otherwise you'll still get issues with the latest browser versions of mozilla, firefox, edge etc refusing to connect and popping security warnings/errors, may also affect latest versions of outlook.
  4. Latest Rollup for Exchange (I'm assuming you are on 2013/2016): Latest versions require above dotnet (if you haven't installed this then you'll need to upgrade: 2013 should be at cumulative update 21, 2016: cumulative update 11.

The other thing is that your certificates need to be at least SHA-2 compliant otherwise modern browsers won't connect, also suspect latest versions of outlook too. So, your CA should issue at least SHA-2 too.

Your client access urls and autodiscover internal uri can be configured/should be configured with the external email domain name whic should be same as the accepted domain.

Follow above and all your SSL erros should disappear.
Avatar of Mahesh
Mahesh
Flag of India image
You may be right but OP need to confirm
Avatar of Damian Gardner
Damian Gardner

ASKER

Mahesh / Joseph - thank you for your help.  Yes, we are older 2010 Exchange still (about to upgrade to Exchange Online in next few months), and are in process as we speak with upgrading 2010 Outlooks to 2016.  All the errors are happening in old 2010 clients however.  I will read through the Sembee article, and then add steps Joseph has suggested, and reply back soon.  thank you!