locked
Exchnage 2007 self assgned SSL Certificate Renewal RRS feed

  • Question

  • Hi Guys,

    I have Exchange 2007 with sp1 in CCR, running on vmware environment. The server is configured with self assigned SSL certificate.

    The certificate is due for renewal and i'm aware of the procedure, how to renew the certificate. But the issue i'm having is that, we have a proxy server in front of the Exchnage server. When i renewed the certificate, now the date is validated and extended for 12months. But the error message for outlook user are now changed to: " The name on the security certificate is invalid or does not match the name of the site"??

    Any suggestions would be appreciated. Thanks!!

     

     

    Wednesday, February 23, 2011 3:57 AM

Answers

  • The URL on the certificate certificate must match exactly the URL that your users use to access OWA from the internet. Did you issue the certificate for your internal mailbox server and then export a copy to your proxy server. If so the certificate may be for the the fully qualified internal name of your exchange server whhich is not necessarilly the name  that it is published under on the internet. If this is the case you will need to issue a certificate for the URL that OWA is accesed from externally and apply it to your proxy server.

    John

    • Marked as answer by emma.yoyo Wednesday, March 2, 2011 1:44 AM
    Wednesday, February 23, 2011 9:28 AM
  • SelfSigned certificates are created locally on Exchange itself generated through IIS7 (Create a Self-Signed Server Certificate in IIS 7) so there is no need to look at DC at this time.

    The warning you receive is due to the fact that one or more of your URLs isn't listed in the certificate as an Subject Alternate Name (SAN). When you have Outlook opened, hold down the CTRL key and right click on the Outlook icon to the right, next to the clock in the taskbar, and choose "Test E-mail AutoConfiguration". Uncheck Guess Smart and only run with Auto Discover.

    My guess is that the URL for the Offline Address Book OAB, isn't listed in your certificate.


    Jesper Bernle | Blog: http://xchangeserver.wordpress.com
    • Marked as answer by emma.yoyo Wednesday, March 2, 2011 1:44 AM
    Thursday, February 24, 2011 8:14 AM

All replies

  • The URL on the certificate certificate must match exactly the URL that your users use to access OWA from the internet. Did you issue the certificate for your internal mailbox server and then export a copy to your proxy server. If so the certificate may be for the the fully qualified internal name of your exchange server whhich is not necessarilly the name  that it is published under on the internet. If this is the case you will need to issue a certificate for the URL that OWA is accesed from externally and apply it to your proxy server.

    John

    • Marked as answer by emma.yoyo Wednesday, March 2, 2011 1:44 AM
    Wednesday, February 23, 2011 9:28 AM
  • If you renewed the old SelfSigned certificate it should include the exact same names as the old certificate and if the old certificate wasn't causing any warnings neighter should the new one.

    Have you renewed the certificate in a similar fashion to this - http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html ?


    Jesper Bernle | Blog: http://xchangeserver.wordpress.com
    Wednesday, February 23, 2011 9:51 AM
  • Hi Guys,

    Thanks for your help. I did follow exactly same steps as mentioned by jesper's url but for some reason it's still generating the same error message.

    What i'm not sure is if there is any steps i need to perform on DC, e.g. to create or import certificate initially on to DC and then export to exchnage environmenton? once it's done then enable the certificate for IIS, POP, and so.

    Regards,

    Fzikria

     

     

     

     

    Thursday, February 24, 2011 1:31 AM
  • Hi Fazikra,

    Can you check the event viewer on the Exchange Server if these errors are there or not:

      Source: MSExchangeTransport Category:TransportService EventID: 12014

      EventID: 12023 Microsoft Exchange could not load the certificate with thumbprint

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, February 24, 2011 7:09 AM
  • SelfSigned certificates are created locally on Exchange itself generated through IIS7 (Create a Self-Signed Server Certificate in IIS 7) so there is no need to look at DC at this time.

    The warning you receive is due to the fact that one or more of your URLs isn't listed in the certificate as an Subject Alternate Name (SAN). When you have Outlook opened, hold down the CTRL key and right click on the Outlook icon to the right, next to the clock in the taskbar, and choose "Test E-mail AutoConfiguration". Uncheck Guess Smart and only run with Auto Discover.

    My guess is that the URL for the Offline Address Book OAB, isn't listed in your certificate.


    Jesper Bernle | Blog: http://xchangeserver.wordpress.com
    • Marked as answer by emma.yoyo Wednesday, March 2, 2011 1:44 AM
    Thursday, February 24, 2011 8:14 AM
  • Hi Fzikria,

    Any updates?

    Please check whether the error occurs if opening Outlook in LAN.

    "Did you issue the certificate for your internal mailbox server and then export a copy to your proxy server."

    Please also run the Exbpa.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 25, 2011 6:01 AM
  • Hi Fzikria,

    Any updates?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, February 28, 2011 2:00 AM