none
Certificate Error, cannot verify from

    Question

  • My current server setup:

         CA1 - Windows Certificate Authority Server (domain member)

         Mbx1 - Mailbox server 1 (member DAG)

         Mbx2 - Mailbox server 2 (member DAG)

         HubCAS1 - Hub transport and CAS server 1 (member cas-array)

         HubCAS2 - Hub transport and CAS server 2 (member cas-array)

         Edg1 - Edge server

         DC1 - Schema/Domain Naming (domain controller)

         DC2 - RID/PDC (domain controller)

         DC3 - Infrastructure Master (domain controller)

    Problem:

    I'm trying to setup a Certificate in my exchange 2010. I setup my local certificate authority server in CA1 then created a new certificate from HubCAS1. When i'm trying to "Complete Pending Request" i received this error: “The certificate is invalid for exchange server usage”. Where did i go wrong? Is it on my CA server or Exchange Server? I followed the below instructions but failed.

    http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010

    http://exchangeserverpro.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority

    Please help. Thanks!

    Friday, February 24, 2012 11:10 AM

Answers

All replies

  • Exchange 2010 requires a Subject Alternative Names type of certificate and it's best that you obtain one from a well known certificate authority like godaddy, verisign, network solutions, and a few others if you plan to deploy ActiveSync, OWA, Outlook Anywhere to users.

    http://technet.microsoft.com/en-us/library/dd351044.aspx


    -Hieu

    Friday, February 24, 2012 6:53 PM
  • What do you want use the cert for?

    I'd normally recommend a 3rd party SAN cert with the correct names.

    mail.company.com

    autodiscover.company.com

    Some services wont work like OA/EAS.

    Your error seems to be related to the cert, try and import into the intermediate certificate authority on the Exch server.


    Sukh

    Friday, February 24, 2012 7:26 PM
  • if  you are just doing this to test. you can use the internal CA like you have setup there is a good chance you do not have the correct template setup or you do not have something right on the CA. the error you are indicating usually means you selected the wrong type of cert when creating it on the CA.

    Mitch Roberson MCM Exchange 2010|MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003

    Friday, February 24, 2012 7:56 PM
  • Thanks Hieu, Sukh & Mitch:

    I'm just planning to use a local certificate to get rid of the certificate error that is popping on Outlook 2010. 3rd party SANs is not an option for us. Not sure why exchange 2010 cannot verify the certificate i created from the CA server that we have. Any suggestions?

    Sunday, February 26, 2012 9:54 AM
  • try and import into the intermediatecertificate authority on the Exch server.

    Sukh

    Sunday, February 26, 2012 6:37 PM
  • Exchange 2010 requires a Subject Alternative Names type of certificate

    A SAN certificate is only required if you plan to use the same certificate for multiple hostnames. Some customers choose to use different certificates and separate webpages for things like Autodiscover, OWA, Outlook Anywhere.

    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003
    MCTS: Win Server 2008 AD, Configuration MCTS: Win Server 2008 Network Infrastructure, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server

    NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 27, 2012 1:25 AM
  • Rommel:

    As Mitch said:

    ".. there is a good chance you do not have the correct template setup or you do not have something right on the CA ... "

    Which template did you use?

    There's templates for EFS, for code signing, for web servers, etc..

    I've always used 3rd party certs so I'm curious myself as to what the proper template would be to create a "in-house" cert for Exchange.

    I suppose "Server" would be a good candidate.

    Monday, February 27, 2012 1:50 AM