locked
SSL Certificate RRS feed

  • Question

  • I installed an SSL Certificate on my Exchange 2007 server.  I included the IIS and SMTP services when I installed it using the Import-ExchangeCertificate and Enable-ExchangeCertificate commands.  Now I get a certificate error when my users are in Outlook on my network.

    The security certificate is from a trusted certifying authority

    The security certificate date is valid.

    The name on the security certifiacte is invalid or does not match the name of the site.

    How can I remove the new SSL certificate from the SMTP service and use the the one generated when I installed Exchange 2007?

     


    PDC
    Thursday, April 15, 2010 1:45 PM

Answers

  • Sounds like you need a UCC cert  or use the single name cert and take a look at this article to make it work for you:

    http://www.amset.info/exchange/singlenamessl.asp

     Exchange 2007 Single Name SSL Certificate

     

     

     

    • Proposed as answer by Elvis Wei Monday, April 19, 2010 7:08 AM
    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Friday, April 16, 2010 10:45 PM
  • Hi,

     

    I agree with Andy. In real world scenario, we suggest you use a SAN certificate.

     

    More on Exchange 2007 and certificates - with real world scenario

    http://msexchangeteam.com/archive/2007/07/02/445698.aspx

     

    Thanks,

     

    Elvis

    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Monday, April 19, 2010 7:08 AM
  • Thanks for everyones help.  I purchased a SAN certificate and everything is working properly.  I only enabled the IIS service.  Should I consider other services?
    PDC
    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Tuesday, April 20, 2010 3:45 PM
  • IMAP and POP3 and SMTP if required. Glad you got it working!
    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Tuesday, April 20, 2010 5:11 PM

All replies

  • Is this what you are seeing?:
    http://support.microsoft.com/kb/940726

    Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site

     

     

     

     

    Thursday, April 15, 2010 1:50 PM
  • I ran all of the commands and the issue is still occurring.  Do I need to reboot the Exchange server?
    PDC
    Thursday, April 15, 2010 2:42 PM
  • I ran the commands in the article you suggested and the problem is still occurring.
    PDC
    Thursday, April 15, 2010 4:53 PM
  • What URL isnt matching?

    Test Email autoconfiguration following the steps here:

    http://msexchangeteam.com/archive/2007/03/05/436656.aspx

     

    Then look at the results and find the URL that doesnt match the FQDN on the cert.

    Thursday, April 15, 2010 5:32 PM
  • I found that when I change:

    Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUrihttps://webmail.mycompany.com/autodiscover/autodiscover.xml

    The issue disappears, but when I run the "Test Email Autoconfiguration" utility it fails.  I replace CAS1 with my local server name (dpserver03).  I replace webmail.mycompany.com with wm.pdcarea.com, which is the certificate I installed.  Any help is appreciated. 


    PDC
    Thursday, April 15, 2010 8:44 PM
  • Do the necessary URLS exist in the DNS your client is using and point to the client access server? (wm.pdcarea.com?)

    Also, as an extra check, run ExBpa against the server.

     

     

     

     

    Thursday, April 15, 2010 11:33 PM
  • I added wm.pdcarea.com into the DNS server, and the error started again.
    PDC
    Friday, April 16, 2010 1:10 AM
  • and are the URLS set correctly per that KB article?

    Everything has to match. The URLS defined in AD and the FQDN defined on the certificate you applied to the Client Access Server.

     I would walk through that article again and confirm all the settings are correct.

     

    Friday, April 16, 2010 2:12 AM
  • When I point all the URLs to the internal computer name of the server it attempts to open the wm.pdcarea.com SSL certificate.  It is the AutoDiscover URL that is causing the issue.  The "Test Email Autoconfiguration" utility confirms that the URLs are correct.  I'm guessing that when I install the wm.pdcarea.com SSL it overwrote the dpserver03 certificate generated by Exchange.  I don't know how to rectify this situation.
    PDC
    Friday, April 16, 2010 4:54 PM
  • Correct, when you used enable-exchangecertificate, it applied the cert to the services you listed. You can always undo that by enabling the services against the other cert, though Im stil not quite clear why this isnt working for you and which cert you want to use.
    Friday, April 16, 2010 5:00 PM
  • I want to use the wm.pdcarea.com cert for Internet web mail access to the Exchange 2007 server.
    PDC
    Friday, April 16, 2010 5:07 PM
  • Will internal OUtlook users connect to that FQDN as well? Or another URL?  Does this certificate have multiple names ( I.e. a SAN/UCC certificate) or only  wm.pdcarea.com?

     

    http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

    http://msexchangeteam.com/archive/2007/04/30/438249.aspx

    Exchange 2007 Autodiscover and certificates

     

    http://msexchangeteam.com/archive/2007/02/19/435472.aspx

    Exchange 2007 lessons learned - generating a certificate with a 3rd party CA

     

     

    Friday, April 16, 2010 8:34 PM
  • No, internal Outlook users will not connect to wm.pdcarea.com.  Internal users can usehttps://dpserver03/owa which works now.  Only Internet OWA users will use wm.pdcarea.com.  It is not a UCC cert.
    PDC
    Friday, April 16, 2010 9:24 PM
  • Sounds like you need a UCC cert  or use the single name cert and take a look at this article to make it work for you:

    http://www.amset.info/exchange/singlenamessl.asp

     Exchange 2007 Single Name SSL Certificate

     

     

     

    • Proposed as answer by Elvis Wei Monday, April 19, 2010 7:08 AM
    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Friday, April 16, 2010 10:45 PM
  • Hi,

     

    I agree with Andy. In real world scenario, we suggest you use a SAN certificate.

     

    More on Exchange 2007 and certificates - with real world scenario

    http://msexchangeteam.com/archive/2007/07/02/445698.aspx

     

    Thanks,

     

    Elvis

    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Monday, April 19, 2010 7:08 AM
  • Thanks for everyones help.  I purchased a SAN certificate and everything is working properly.  I only enabled the IIS service.  Should I consider other services?
    PDC
    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Tuesday, April 20, 2010 3:45 PM
  • IMAP and POP3 and SMTP if required. Glad you got it working!
    • Marked as answer by Elvis Wei Wednesday, April 21, 2010 1:49 AM
    Tuesday, April 20, 2010 5:11 PM
  • Be glad to hear it's working now.
    Wednesday, April 21, 2010 1:49 AM