locked
How to install Trusted Root Certificate

    Question

  • Hi,

    I'm trying to connect my Win 7 + Outlook 2010 to an Exchange 2010 server using Outlook Anywhere.

    When I try to connect I get the message that "There is a problem with the proxy server's security certificate. The security certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server myserver.mydomain.com (Error code 8)."

    Now all information I found on this error tell me I have to install Trusted Root Certificate. But none of them tells me how to do it. Should I export the certificate from server and the import it on the client? Is there a way to visualize the certificate when the error occurs on the client and install it without having to export it from server?

    How do I install the Trusted Root Certificate?

    Thanks in advance. Regards.


    Plo
    Thursday, July 29, 2010 12:28 AM

Answers

  • The self signed certificate that Exchange generates is not supported for use with Outlook Anywhere. Therefore if they wish to use Outlook Anywhere for external people you have two choices only:

    1. An internal CA.

    2. Deploy an externally trusted certificate.

    Of the two, the second is usually most cost effective and allows non domain clients to trust the certificate without installation.

    I have outlined the full process on my blog: http://blog.sembee.co.uk/post/Exchange-2007-and-SSL-Certificates-Take-2.aspx

    The same certificate will protect Outlook Anywhere, OWA, ActiveSync and SMTP traffic.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Marked as answer by emma.yoyo Wednesday, August 4, 2010 1:13 AM
    Thursday, July 29, 2010 10:33 PM
  • Hi Plo,

    You can use "Web server" template for Exchange if you decide to use internal CA.

    You can use cmdlet Get-ExchangeCertificate | fl to see which certificate has been installed. If the "RootCAType" is "Enterprise" and the services is "IAMP,POP,IIS,SMTP", the internal certificate has already been installed on the Exchange.

    For domain-disjoined computer, you should export the certificate and install it on the client computer manually.

    Export an Exchange Certificate

    http://technet.microsoft.com/en-us/library/dd351274.aspx

    If you are still using self-certificate, you should apply CA certicate and install it first.

    Details , please see:

    Configure SSL Certificates to Use Multiple Client Access Server Host Names

    http://technet.microsoft.com/en-us/library/aa995942.aspx

     


    Frank Wang
    • Marked as answer by emma.yoyo Wednesday, August 4, 2010 1:13 AM
    Friday, July 30, 2010 7:18 AM

All replies

  • If you are accessing from the inside only i would recommend you use a internal CA for the exchange certs and the trusted root for that can be distributed via ad group policy.

    If you are going to use services such as owa and outlook anywhere from outside your corporate lan i would suggest using a 3rd party cert. In that case your computer will already have the public root, thus eliminating the problem.

    Here is a guide from digicert one of the 3rd party providers:   http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. If the post wasn't the exact answer or was helpful in leading you to the answer, please vote it as helpful. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Scott H. Robinson Thursday, July 29, 2010 6:34 AM
    • Unproposed as answer by Paolone67 Thursday, July 29, 2010 11:54 AM
    Thursday, July 29, 2010 6:34 AM
  • I need to submit some more specification:

    1. My machine is not joined to the domain since I'm a freelance consultant with my own PC but with a mail account on my customer's Exchange server. This means: no group policy.
    2. Since I'm not the Exchange administrator I cannot force any modification to Exchange server or CA structure. I need to know how to download the Trusted Root Certificate from the infrastructure and install it, possibly not requiring any work to the Exchange administrator.

    Is it possible to say to my PC "hey, just trust that CA Root" or not? Technically speaking: when I try to connect to Exchange throug Outlook Anywhere, is it possible to intercept the certificate my PC is not trusting and make my PC to trust it?

    Thanks.


    Plo
    Thursday, July 29, 2010 11:54 AM
  • The self signed certificate that Exchange generates is not supported for use with Outlook Anywhere. Therefore if they wish to use Outlook Anywhere for external people you have two choices only:

    1. An internal CA.

    2. Deploy an externally trusted certificate.

    Of the two, the second is usually most cost effective and allows non domain clients to trust the certificate without installation.

    I have outlined the full process on my blog: http://blog.sembee.co.uk/post/Exchange-2007-and-SSL-Certificates-Take-2.aspx

    The same certificate will protect Outlook Anywhere, OWA, ActiveSync and SMTP traffic.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Marked as answer by emma.yoyo Wednesday, August 4, 2010 1:13 AM
    Thursday, July 29, 2010 10:33 PM
  • Hi Simon and thanks.

    I want to go with an internal CA. But which Certificate Template must I use to issue the certificate to import in Exchange?

     

    Thanks.


    Plo
    Friday, July 30, 2010 2:35 AM
  • Hi Plo,

    You can use "Web server" template for Exchange if you decide to use internal CA.

    You can use cmdlet Get-ExchangeCertificate | fl to see which certificate has been installed. If the "RootCAType" is "Enterprise" and the services is "IAMP,POP,IIS,SMTP", the internal certificate has already been installed on the Exchange.

    For domain-disjoined computer, you should export the certificate and install it on the client computer manually.

    Export an Exchange Certificate

    http://technet.microsoft.com/en-us/library/dd351274.aspx

    If you are still using self-certificate, you should apply CA certicate and install it first.

    Details , please see:

    Configure SSL Certificates to Use Multiple Client Access Server Host Names

    http://technet.microsoft.com/en-us/library/aa995942.aspx

     


    Frank Wang
    • Marked as answer by emma.yoyo Wednesday, August 4, 2010 1:13 AM
    Friday, July 30, 2010 7:18 AM
  • Hi Plo,

    How about your question? Any updates?


    Frank Wang
    Tuesday, August 3, 2010 1:25 AM
  • Hi Frank,

    I suggested my customer to use an internal CA (after all also their employees got the annoying message warning of an untrusted CA when they accessed the OWA site). I drove them through the process using the "Web Server" certificate as you suggested. And I installed the trusted root certificate on my pc.

    I did not yet test if I'm able to connect through Outlook Anywhere, since now I'm in my summer holiday period. I'll try on september when both me and e.mail admin will be both back.

    Regards.


    Plo
    Wednesday, August 4, 2010 8:59 PM