locked
Exchange 2010 certificate removal RRS feed

  • Question

  • Hi,

    I've installed Exchange 2010 and everything works fine.  I have also installed a self signed certificate mostly for my own experience to see what this does and what impact it has.  I had no experience of this previously.  As these things go Exchange is now in use and people are using the resource.  However, Outlook 2007/2010 clients are getting an annoying warning about the certificate and, when I log into OWA, there is also the "The security certificate presented by this website was issued for a different website's address" warning.  OWA is not used by anyone else but myself.  Again, I have enabled this more as a learning experience.  My question is, can I remove the certificate safely without services to OWA or internal e-mail to Outlook clients being disrupted?  Is it best to do this by right clicking on the cert in Server Configuration and selecting 'Remove'?

    All responses are much appreciated.

     

    Many thanks,

    Greg.




    • Edited by Gregish Tuesday, January 24, 2012 11:16 AM
    Tuesday, January 24, 2012 10:02 AM

Answers

  • On Tue, 24 Jan 2012 10:02:56 +0000, Gregish wrote:
     
    >I've installed Exchange 2010 and everything works fine. I have also installed a self signed certificate mostly for my own experience to see what this does and what impact it has. I had no experience of this previously. As these things go Exchange is now in use and people are using the resource. However, Outlook 2007/2010 clients are getting an annoying warning about the certificate and, when I log into OWA, there is also the "The security certificate presented by this website was issued for a different website's address" warning. OWA is not used by anyone else but myself. Again, I have enabled this more as a learning experience. My question is, can I remove the certificate safely without services to OWA or internal e-mail to Outlook clients being disrupted? Is it best to do this by right clicking on the cert in Server Configuration and selecting 'Remove'?
    >
    >All responses are much appreciated.
     
    Replace the cert with one that contains the correct common name and
    any subject alternative names (SAN) your orgainzation requires.
     
    The common name on the certificate should be the one you use for
    ActiveSync. The other names should added as SANs.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Evan Liu Friday, February 3, 2012 11:11 AM
    Tuesday, January 24, 2012 4:52 PM
  • One other thing to add to the common name selection - pls remember that if you have Windows XP clients & you want to use Outlook Anywhere on those machines, the OA endpoint name that you use must be the CN of the cert.  Vista Sp1 and newer do not have this requirement.

     

    Please review the namespace planning guides on TechNet, and map out what names you need. 

    *THEN* buy the cert as the MVPs have mentioned here.

    Self signed certs should be replaced, and end users should not have to click through cert warnings.


    Cheers, Rhoderick
    • Marked as answer by Evan Liu Friday, February 3, 2012 11:11 AM
    Wednesday, January 25, 2012 2:31 AM

All replies

  • Removing the certificate will not replace it with one that works!
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Tuesday, January 24, 2012 4:30 PM
  • On Tue, 24 Jan 2012 10:02:56 +0000, Gregish wrote:
     
    >I've installed Exchange 2010 and everything works fine. I have also installed a self signed certificate mostly for my own experience to see what this does and what impact it has. I had no experience of this previously. As these things go Exchange is now in use and people are using the resource. However, Outlook 2007/2010 clients are getting an annoying warning about the certificate and, when I log into OWA, there is also the "The security certificate presented by this website was issued for a different website's address" warning. OWA is not used by anyone else but myself. Again, I have enabled this more as a learning experience. My question is, can I remove the certificate safely without services to OWA or internal e-mail to Outlook clients being disrupted? Is it best to do this by right clicking on the cert in Server Configuration and selecting 'Remove'?
    >
    >All responses are much appreciated.
     
    Replace the cert with one that contains the correct common name and
    any subject alternative names (SAN) your orgainzation requires.
     
    The common name on the certificate should be the one you use for
    ActiveSync. The other names should added as SANs.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Evan Liu Friday, February 3, 2012 11:11 AM
    Tuesday, January 24, 2012 4:52 PM
  • Thanks for the replies guys.

    So, if I remove any certificates that are there will the users still be able to connect with Outlook and OWA with no certificates installed?

    When I've done that I can then install a self signed certificate with a common name of the address we use for OWA and a SAN for the internal server name.  Is this correct, or have I got it completely wrong?

    Tuesday, January 24, 2012 6:45 PM
  • You really ought to get a UCC SSL certificate that contains the domain names you use for autodiscover and everything else.  This can be as few as one CN (say, webmail.company.com) and one SAN (autodiscover.company.com), although the CN will show up as a SAN from most issuers.

    You can get this certificate from Go Daddy for $216 for three years (pricing as of the last time I looked).  There are plenty of other issuers, but as far as I know they're all more expensive.  A publicly issued certificate will ensure your mobile devices will connect properly without you having to import a root certificate.  Be sure you pick an issuer whose root is trusted by your mobile devices.

    If you want to go the cheap but more labor-intensive way, then you use your own Windows-based enterprise CA.  If you don't have one, it's not that hard to install.  Then you can generate your own free certificates, but they won't work in mobile devices or private computers without distributing and installing your root certificate.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Tuesday, January 24, 2012 6:56 PM
  • On Tue, 24 Jan 2012 18:45:33 +0000, Gregish wrote:
     
    >So, if I remove any certificates that are there will the users still be able to connect with Outlook and OWA with no certificates installed?
     
    Not if you require the use of SSL or HTTPS.
     
    >When I've done that I can then install a self signed certificate with a common name of the address we use for OWA and a SAN for the internal server name. Is this correct, or have I got it completely wrong?
     
    Do you have a CA in your organization? If you don't then you can
    either add one or you can purchase a UCC (or SAN) certificate from a
    public CA.
     
    You don't have much choice in what the common name on the cert is if
    it's self-issued. OTOH, if you have your own CA you can create the CSR
    with whatever names you like and then install the certificate (and
    enable it for use by Exchange). The trouble with either of those is
    that the certificate isn't going to be trusted by the clients. If you
    have your own CA you can install its root certificate as a trusted CA
    on all the clients. If you use a public CA the root certificates are
    probably going to present in the local machine's certificate store so
    you'll avoid the hassle of having to deal with the clients.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, January 24, 2012 8:34 PM
  • One other thing to add to the common name selection - pls remember that if you have Windows XP clients & you want to use Outlook Anywhere on those machines, the OA endpoint name that you use must be the CN of the cert.  Vista Sp1 and newer do not have this requirement.

     

    Please review the namespace planning guides on TechNet, and map out what names you need. 

    *THEN* buy the cert as the MVPs have mentioned here.

    Self signed certs should be replaced, and end users should not have to click through cert warnings.


    Cheers, Rhoderick
    • Marked as answer by Evan Liu Friday, February 3, 2012 11:11 AM
    Wednesday, January 25, 2012 2:31 AM