Exchange Server 2010 like its predecessor Exchange Server 2007 makes heavy use of SSL certificates for various communications protocols. When you install a new Exchange server is comes pre-configured with a self-signed certificate. Before putting a new server into production you should create and assign a new SSL cert for the server.
In this example an SSL cert is being configured for the contoso.local organzation.
Generate a New Exchange Server 2010 Certificate
In the Exchange Management Console navigate to Server Configuration. Right-click the server and choose New Exchange Certificate.
Enter a friendly name for the new cert. In this example I have named it “Contoso Exchange Server”.
Although wildcard certificates are supported in Exchange Server 2010 it is recommended to use a SAN (Subject Alternative Name) cert instead.
Next we can configure the names for each of the Exchange 2010 services that are secured with the SSL certificate.
First is the Outlook Web App service. Enter the internal and external names of Outlook Web App. In this example I am using “ex2010.contoso.local” for internal, and “mail.contoso.local” for external.
Next configure the ActiveSync domain name. For ease of administration and configuration I am using the same name as for Outlook Web App.
Next are the Web Services, Outlook Anywhere and Autodiscover names. Once again I am using the same name of “mail.contoso.local”. For Autodiscover the additional names of “autodiscover.contoso.local” and “autodiscover.xyzimports.local” are also configured, for each of the accepted email domains in this example organization.
The Hub Transport server also requires SSL for secure SMTP communications. In this example I am using the name “mail.contoso.local”.
A legacy name for co-existence is required if you are planning to gradually transition services and data from Exchange 2003 to Exchange 2010. Configure legacy names for each of the namespaces in the organization, in this example “legacy.contoso.local” and “legacy.xyzimports.local”.
When all of the services have been configured proceed to the next step of the New Exchange Certificate wizard.
Confirm that all of the required names have been included in the cert request. You can add any additional names at this stage before proceeding.
Next configure the organization and location information for the certificate, and choose a location to generate the request file.
When you have finished filling out the wizard click the New button to generate the cert request file.
Confirm that the request file was successfully generated.
You will notice that the wizard makes a recommendation as to the type of certificate that is required for your Exchange organization. In most cases a “Unified Communications certificate” will be necessary, which is basically another name for a SAN certificate.
Although you can issue the certificate from a private Certificate Authority it is recommended to use a commercial Certificate Authority such as Digicert.
After you have acquired the new certificate return to the Exchange Management Console, navigate to Server Configuration, right-click the server and choose Complete Pending Request.
Browse to the location of the file you downloaded from the CA and complete the wizard. Confirm that the new SSL certificate was imported successfully.
The new certificate now appears in the list of valid certificates for the server.
Assign the New Certificate to Exchange Server 2010
With the valid SSL certificate installed it is now time to assign it to the Exchange Server 2010 services. Right-click the new certificate and choose “Assign Services to Certificate”.
Choose the new Exchange server and click the Next button.
Choose the services to assign to the certificate. In this example the IIS and SMTP services are being assigned.
Complete the wizard to assign the services to the new SSL certificate. You will be prompted to overwrite the existing self-signed certificate, so choose Yes to that prompt.
About Paul Cunningham
its a very nice tutorial, but how can I create a certificate for NLB Cluster Name.
Hi Faisal, same process as above, but you also include the DNS name of the NLB cluster in the SAN certificate.
Once you’ve installed the certificate on one of the NLB cluster members you can then export it using the Certificates snap-in in MMC, copy it over to the other server, import it and then enable it for IIS on that server as well.
The export/import process is demonstrated here (well its for 2010->2003 but you should be able to work it out from that)
http://exchangeserverpro.com/export-an-exchange-server-2010-certificate-to-exchange-2003
I have two self-signed certificates in exchanges 2010 as follow
Name “Self Signed Services Issuer “Expiration Date”
True IMAP, POP, IIS, SMTP CN=WMSvc-MAIL 0109/08/2020
“Microsoft Exchange” True SMTP CN=MAIL01 04/10/2015
how to remove some services i.e. SMTP or IIS from the certificate. and assign IIS to the second certificate “Microsoft Exchange”.
Secondly can I make a backup of certificate before playing with them? so that i could restore incase of any nonsence happens
btw please dont confused my question with the previous because my name is also Faisal
Thank you
Faisal Khan
Faisal, when you use Enable-ExchangeCertificate to enable one for IIS it will automatically remove IIS from the other certificate’s uses. You can also do it via the Management Console if you prefer it that way.
You can export certificates but it shouldn’t be necessary if all you are doing is enabling them for services.
Thanks Paul, much appriciated.
Q1. how to achieve this via console. please hint?
Meanwhile what i did is I have requested a certificate from my local CA (from my first dc http://DC01/certsvr). This appears in Exchanage console as a False under self-signed. is this okay? This is not from Third party though!
Q2. As long as i am not getting proper certificate from third party, which i will do soon, would it be alright to use this certificate or you think i should get a self-signed certificate instead.
My existing self-signed certificates in exchange are messed up. Because Outlook 2007 clients has started getting Certificate YES NO message each time they open Oulook2007 since i have assigned some services (may be iis or other not sure!) to this certificate. But after requesting and installing a cert from DC01/certsvr this problem has been resolved.
Q3. now my BIGGER concern is iPhone. This bloody iPhone/iPad cann’t seem to connect with exchange on activsync.
Many Many Thanks
Q1 – See this article for instructions.
http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services
Self-signed “False” just means that it came from a CA (either private or commercial), instead of being self-generated by the Exchange server.
Q2 – I think a CA-issued cert is better than a self-signed cert, but obviously getting one from a commercial CA is better than a private CA.
Yes I would expect certificate warnings when using a self-signed certificate, and the private CA-issued one would solve that for domain members, but not for non-domain members (eg people connecting from home to OWA, or mobile devices).
Here is an article I wrote about it all:
http://www.petri.co.il/ssl-exchange-certificate-buying-commercial.htm
Q3 – You can use the website https://www.testexchangeconnectivity.com/ to test ActiveSync to see if it is just an iPhone bug or something else with your configuration.
When using certificates from a private CA you’ll need to check the box to ignore trust for SSL when running the test.
Hope that all helps.
Thank you so much paul. I am moving forward now. every problem of mine is resolved for the moment, touch wood. As a summary i am writting down all of my exchange problems i had last week and their solutions which are obviously suggested by you
1. Outlook 2007 started displaying a certificate message each time you open it up or when you click on send/receive. This probelm resolved by usaing a SAN entry in certificate as autodiscover.my-local-domainname.local in certificate.
2. iPhone was not able to activesyn with exchange. problem resolved after finding out that user should have inhertance permissions in AD. (open ADUC>right click user>properties>security>advance) and select inheretance. if you cann’t find security tab then you need to enable advance view. from top menu.
Thanks Paul for your last tip to ignore the SSL in case of using private CA. this proved as a cracking shot
Best Regards
Faisal khan
I already have a wildcard cert for my entire organization, which is used for not only our external web servers but also for OWA access in 2003. I’m having difficulty finding technical information on using the cert when moving to Exchange 2010. Can you point me to any resources?
Kim, wildcards are supported by Exchange 2010 but not all browsers and mobile devices will support them (mostly older ones though). A wildcard is also less secure in some ways than a SAN cert, but I’ve never met anyone who worries about that.
Most of our customers go with a new SAN certificate at the time of deployment which is the best outcome.
Man, this Articles ROCK!!! Thanks!!!!
Paul, what should I do on Exchage 2010 and on client to get outlookanywere going. Do i need to allow any port on firewall as well? Please advise
Thank you
Faisal
Faisal, I decided to write a new tutorial to answer your question. You can check it out here:
http://exchangeserverpro.com/how-to-configure-exchange-server-2010-outlook-anywhere
Thanks….
Hi Thanks for the article , I have exchange 2010 running ,
is it risk free to assign services to new certificate , does this
affect existing connected users from LAN ?
I would schedule it for outside of business hours in case there are any problems from the change.
Hello,
We have Exchange 2010 SP1 with two CAS/HUB servers in CASArray and two MailBox Servers with DAG enabled.
Question 1:
For CAS array I am using outlook.domain.local (DNS Record) and I am going to buy a SAN certificate from digicert.com, please see names that I am going to include in this certificate and please correct me if I am wrong:
Outlook.domain.local (internal NLB for Client access array)
Ep-cas01.domain.local (for outlookanywhere)
Ep-cas02.domain.local (for outlookanywhere)
Webmail.domain.com (OWA,POP3,SMTP)
Autodiscover.domain.com (for autodiscover)
domain.com
Question 2:
We already have regular (not SAN) SSL Certificate for webmail.domain.com. Can we assign this certificate for IIS,POP and SMTP services instead of buying SAN Certificate.
Thank you
Alex, check with the certificate provider whether they will issue you a cert for a .local name. I think not all of them will.
Hello Paul,
Thank for the quick respond.
My Exchange 2010 SP1 environment contained following servers:
Ep-cas01.domain.local
Ep-cas02.domain.local
CAS Array for these CAS servers is “outlook.domain.local”, and two mailbox servers with DAG
For OWA we are using “webmail.domain.com”
DigiCert and VeriSign allow to use “.local” domain names and they suggest to add netbios names to the certificate as well. (http://www.digicert.com/ssl-support/exchange-2010-san-names.htm)
http://www.digicert.com/unified-communications-ssl-tls.htm
http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certificates/san-ssl-certificates/index.html
Could you please advise me what names I have to put into certificate:
Outlook.domain.local
Ep-cas01.domain.local
Ep-cas02.domain.local
Webmail.domain.com
Autodiscover.domain.com
Autodiscover.domain.local
Should I add netbios name of my Exchange server(s) into certificate?
Thank you
Alex
Hi,
Should I add autodiscover for internal and external domain in my SAN Certificate?
For example:
autodiscover.domain.com
and
autodiscover.domain.local
Or I can add only one to the certificate?
Thank you
You would need an autodiscover name for each SMTP namespace in your organization. You can have more than one autodiscover name on a SAN certificate.
I created the new certificate request, but it’s just sitting there. How do I get it to become a .cer?
Matt, the next step explained in the article is to submit the certificate request to a Certificate Authority who will then issue you the SSL certificate. The suggested CA in the article is Digicert.
After creating and adding the SSL cert to CAS exchange2010 server. The current remote users outlook exchange proxy settings URL is https://exchange2003.domain.com. Can this outlook setting stay the same till the mailbox has been moved from exchange 2003 to 2010? If no, it there a script or something that can change it without the users knowing about the change. Also, same question with internal users outlook profile point to exchange2003 vs exchange2010 till the mailbox has been moved?
Thank you.
Hi Alan, they can keep using the same name. In fact you can transition that name across to Exchange 2010 if you wanted to. See here for details about migrating Client Access services from 2003 to 2010.
http://technet.microsoft.com/en-us/library/ee332348.aspx
Internal uses will have the Exchange 2003 server name in their Outlook profile until you move them to a 2010 mailbox server, and the profile will automatically update to the new server name (of the CAS that is the RPCClientAccessServer for their mailbox database) at that time.
Hi,
We experienced the same issue with Exchange 2010 and Outlook 2010.
We decided to import the self-signed certificate into the a GPO (Trusted Root Certification Authorities). The thing is this works for a mailbox user who is in fact Domain Admin, but a regular user still gets the certificate warning message. Something to do with rights?
Any suggestions?
Thank you!
Hi Timothy, should work fine for regular users too. Are you sure your GPO change is applied to the users? ie not filtered out in some way, have they run GPupdate? Check RSOP and make sure it is applying? That’s where I would start looking.
Hi Paul,
There was something else that was causing this. The normal users have proxy enabled and the domain admin doesn’t. I put the “https://” in the bypass proxy and the problem is now solved.
Thanks you for quick response!
Hi Paul
Is there anyway to configure separate certicates for internal and external names.
Could be a security issue showing those internal names on public certificates?
Thx!!!
If you’re using ISA or TMG to publish Exchange externally you could get a second certificate that doesn’t have the internal names in it. But then of course that costs you basically twice as much.
Consider also that your internal names might be exposed already through the headers in emails unless you made some config changes to hide them.
Knowing your internal server names is not much help to someone unless they can break into your network anyway. And once they’re in discovering names is pretty easy
Thx Paul
I was thinking about separated sites for internal and external Exchange access. One using only internal names and the other one using external names. So only would be necessary to buy the external one. The other could be autogenerated in the coporate CA. But i dont know if tits possible the configuration of the separated IIS sites to work with Exchange.
However, with your comments regarding the security, it appears to be unnecesary this (im)possible solution.
Thx for the quick response!!
If you’re publishing via ISA/TMG there is no need for multiple sites (or virtual directories), unless you need different authentication settings between them.
If you’re publishing Exchange directly through a firewall (ie without ISA/TMG) and you want to use different sites/virtual directories to bind different SSL certs to, then yes I guess that would achieve what you’re trying to achieve.
And yes you can just use the internal CA to issue the cert for internal use.
All up to you really
Hi Paul,
Is it safe to remove the pre-configured self-signed certificate that Exchange 2010 created? I have a new SAN certificate from DigiCert and have assigned IIS service to use it. My SMTP, IMAP, and POP are still using the self-signed certificate. Should assign all these services to use the SAN certificate from DigiCert and remove the self-signed one? Please let me know.
Thanks,
Kevin
I usually just leave it alone
Hi Paul.
I have just implemented a SAN sertificate, and run into problems with Outlook 2010.
I have the following subject:
remote.domain.local
Subject Alternative name:
remote.domain.local
autodiscover.domain.local
autodiscover.domain.no
exchange-server.domain.local
Autodiscover works fine, but when I try to start Outlook, it will promt for username and password, and I never get connected.
I first had not implemented exchange-server.domain.local as a Subject Alternative name, and then Outlook 2010 worked, but complaind about the missing value. After adding exchange-server.domain.local everything looked fine – no errors, until firs reboot, but then I was promted for username and passwor.
OWA works fine.
Any bright ideas?
Ulf
It is possible your Outlook clients are making a HTTP connection via Outlook Anywhere, and Outlook Anywhere is configured for Basic Authentication.
Wow. I had local users getting an server cert errors on Outlook launch for weeks. Thank you so much. That was easy as pie. Even easier than pie. Many thank yous!!
Why is it recomended that you use a san certificate? and what problems might you expect when using a wildcart certificate?
Just check that all of the browsers and mobile devices you’re expecting will be connecting to Exchange support wildcards. Some don’t, but it is mostly older ones.
Thanks for the info, we only use new browsers and recent android. So this shouldn’t be a problem.
Do you known of any problems with outlook 2010 and a wildcart certificate, because i could only find some articles about outlook 2010.
I’ve used a wildcard in my lab with Outlook 2010 and didn’t notice any problems. All prod environments I work with use SAN certs though, so I haven’t had the opportunity to really test wildcards in the real world.
Hi Paul,
I am in the process of migrating from Exchange 2003 – 2010. I have one Exchange 2010 server installed so far and only a few users on it yet. I wanted to get the certificates on before I deploy it so I went through the wizard and selected pretty much what you show in your example but when I submitted my request to Geotrust to get a certificate it was mapped to my domain name only – example – domainname.edu and not my mail server name or my external link name – example – mail.domainname.edu. When I complete the pending request in Exchange the cert was applied but nothing worked right – i got errors on my OWA accounts and on my desktops. I did not use the wildcard option in the wizard. I even tried resubmitting the cert with the external mail link name thinking that only the people accessing email through the web or activesync/imap user were using the certificate. That made the OWA users happy but not the desktops – they continue to pop up a certificate warning every time I open Outlook 2010.
Any idea what I am doing wrong? It seems pretty straight-forward
Hi Sylvia, what type of certificate did you order from them?
We buy a bulk package of standard SSL certs – from Geotrust rapidSSL. I don’t think I can do a SAN cert using these certs. There is no option for anything except what pulls up from the request. No enterprise certs.
Yep, sounds like you’ve got just a standard/single-name cert there. Has to be a SAN cert for the multiple names to work. Looks like Geotrust refers to it as a UC/SAN cert on their sales pages:
http://www.geotrust.com/ssl/ssl-certificates-san-uc/
Hello,
For Exchange 2010 SP1 environment with CAS Array, should I add CAS servers netbios names to SAN certificate or I can add only CAS servers FQDN names?
Thank you
It depends, do any of your users access OWA internally by entering the short name of the server? If not then just the FQDN should be fine.
Thanks for reply.
All internal and external users will use external URL for OWA (https://webmail.domain.com/owa).
In that case I should add only FQDNs of my CAS (cas1.domain.local and cas2.domain.local) server and virtual CAS Array (casarray.domain.local) name to the certificate + webmail.domain.com + autodiscover.domain.com and autodiscover.domain.local.
Am I right?
Thank you
Sorry about the delay on replies. Your CAS Array name may not need to go into the SAN cert, it depends if clients will be making SSL connections specifically to that name. But there is no harm in adding it.
We have spoke with Microsoft about this and they told us following :
Fqdn servers with all roles on it (cas,mbx, hub) , should be include in certificate. If you use cas array, only cas array Fqdn should be in certificate, do not need include Fqdn or netbios names of cas array member servers to San certificate. Autodiscovery for internal and external domain should be in certificate. All owa names should be in certificate.
Thanks
I’ve had advice that goes both ways on that one (CAS Array name). Seems to hinge on whether the CAS Array name is also the same DNS name as services such as OWA.
Hi,
Can we use Active directory certificate service (windows server 2008 R2 )for exchange 2010 Client connectivity.
Thanks
UNAIS
I have installed the SAN certificate on both CAS servers. I did not include the name fo the CAS servers or array on the certificate. I am getting a certificate error on OWA. Any way to get around this?
Depends on the error you’re getting. But I would guess, without knowing all the details of your situation, that reissuing the certificate with the correct server names included in it would be a start.
Great article!
BUT is this all done automaticaly when we use the trusted certificate wiazard in the sbs 2011 console?
I’m having trouble accessing RWA outside the network plus activesync aint working for mobile devices either.
SSL looks fine from inside the browser on the network though!
SBS is as always a little bit special
Your internal, domain-joined clients will trust the certificate that SBS creates, but external non-domain joined clients (and things like smartphones) will not.
There is usually a little cert installer package you can download from your SBS server to deploy to non-domain joined clients so that they trust the cert. Also ActiveSync phones usually have an option to ignore SSL certificate trust problems.
I understand that but even after installing a trusted cert, we cannot access anything outside the network. I even installed a cert on my iPhone but still it won’t connect outside the network.
When i run a Exchange Activsync scan i get this error………..
Testing the SSL certificate to make sure it’s valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server remote.burningdesirewales.co.uk on port 443.
ExRCA wasn’t able to obtain the remote SSL certificate.
Additional Details
The certificate couldn’t be validated because SSL negotiation wasn’t successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Is this a certificate problem? If so would installing a certificate the way you have solve my problem?
Regards
Mat
Looks like some other firewall or server issue going on there.
I have been able to generate and import the certificate on my first CAS server (the one where I issued the request). But somehow I’m unable to import the cert onto the second CAS node. I can’t export the cert from node1 with the private key because it’s a digicert issued certificate.
How can I enable the cert on the 2nd node? The FQDN’s of both CAS hosts and CAS array name are correctly listed in the cert.
I’m at a loss here
I’d suggest contacting Digicert support. I’ve exported/imported their certs before.
Good afternoon Paul,
I have a question about the certificate. I have a machine running exchange 2010 and already has certificate.
I’m upgrading my accounts to a new server. Can I install the new certificate after the migration of mailbox?
Thank you.
What roles is the new server running? If it just Mailbox server role then no cert necessary. If it is running CA/HT roles then a new cert will be necessary, and I always configure things like certificates before putting a server into production.
Paul –
I have a strange predicament, I have inherited a domain with an internal name ending with .gov. External name is slightly different due to restrictions. Want to create a SAN with internal and external domain names as required, but cert authority informs I need to register my internal name as it is an external designation. Problem is the governing board for .gov names will not allow us to register it as it is not the format they allow – even thought it is for our internal use. Our AD is 2008R2 but too large for a domain rename (the thought makes me shutter) besides I think Exchange is one of the apps that is not compatible with it. My question is – can I have two cetificates assigned to my CAS array, The Commercial SSL for external users and an internal self signed certificate for my internal clients? Will Outlook autoconnect work properly?
Thanks in advance.
John
Paul –
Are there any comments you can provide on my situation? Greatly appreciated.
Thanks.
John
Yes you can use a mix of certificates issued by private and public CAs.
Use the privately issued certs on your internal servers, including the external name on the internet-facing CA servers as well.
Then request a separate cert from the public CA for the external name(s) and bind that cert to your ISA Server listener.
why email are being queued on exchange server 2003 sending to exchange 2010?
Dear
I am create two dertificate in CAS and i need to remove please can help me to provide the step…
Hi Paul,
Recently I installed a SAN certificate on my exchange server. On 1st eveything went fine, but on second server when I enabled the exchange certificate it gave me the below error
This certificate will not be used for external TLS connections with an FQDN of ‘mail1.X.X.COM’ because the self-signed certificate with thumbprint ‘AAA-THUMBPRINT-AAAAAAA’ takes precedence.
Now on second server I see a red mark on the certificate
I have all the names external and internal on the SA certificate.
Please could you let me know if this would create any problems on my exchange servers
I’d just unassign the certificate that you don’t want to use from SMTP.
In OWA 2010 after logging when I click on the New Button or any other buttons nothing happens. Unable to create reply or delete any messages. However, if I access OWA directly from server everything works fine.
Any idea what it fails in OWA?
Thanks in Advance
Dan
Is your browser blocking popups?
I uninstalled and reinstalled the certificate on the 2nd server and everything looks fine now. I am able to access OWA without any issues.
Thanks Paul
Should I add netbios name of my Exchange server(s) into certificate?
Do i realy need the netbios of all my cas server
Only if you plan to have users connecting to https://shortname/owa
Otherwise, if they’ll always be connecting to https://some.other.long.name/owa then you don’t need the netbios name in the cert.
I generally leave it out.
what should i do if i have different domain name for internal & external?
internal: exchange.myofficedomain.com
external: exchange.ouroffice.com
i’ve bought a cert for the external but upon configuring it, my internal users face certificate problem when using their outlook.
is there anyway to have self-signed internal cert + CA-signed external cert to co-exists?
thanks.
Hi Kent, yes you can bind separate certificates to separate sites within IIS. The summary is that you need to create a new site in IIS on its own dedicated IP, create the applicable Exchange virtual directors (via PowerShell), and then use DNS to direct the different names to the different IIS sites/IPs.
Hi all, I have 1 problem relate to configuring external user to access to exchange server 2010. Currently, I am using exchange server 2010 and set up in my company (internal). I want to allow external user (outside from the office) to use MS Outlook to access to my exchange server 2010 (internal). I had configured to enable outlook anywhere of my exchange server 2010 and I had configure on the MS Outlook (Client’s PC) to connect to exchange server 2010 already. But when I try to connect to exchange server, I got the error message about certificate error and client (external) cannot connect to exchange server 2010. But for another laptop using Mac OS, it still working properly. It is problem with only client’s laptop using Windows OS. WHY? Could you give me some advice relate to this issue? THANK
Regards,
Sophaktra SOK (Mr.)
It depends on the exact certificate error you’re seeing.
I got the error message from client computer as details below:
“There is a problem with the proxy server’s security certificate. The security certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server mail.domain.com.kh. (Error Code 8).”
Now I has no more idea relate to this issue. Please help me to solve this issue as possible. THANK
The problem is that the connecting computer doesn’t trust the certificate authority that issued the SSL certificate. This is usually when you have issued the certificate from your own private CA instead of buying a commercial certificate.
So the solution is to either:
- install the root certificate from the CA on the connecting computer so that it trusts the certificates issued by that CA
- replace the certificate with one from a commercial certificate authority
How can I install the root certificate from CA? And how to replace the certificate with one from a commercial certificate authority? Please guide me to solve this issue. THANK for your kind support.
Can I contact you by Skype or email? This is my email address: smart_sspt@yahoo.com; and Skype: event_sok
Removed – please use the forums if you have questions about other topics
We have a wild card SSL certificate how do we import / assignee this in exchange 2010.
We tried to create and csr and import existing crt but we are getting an error
“Cannot import certificate. A certificate with the thumbprint 44CE486F809C2DF0AADE2C4D9277CD3160E2ED16 already exists. “
Ranjjth, take a closer look at that existing certificate. Seems like you’re trying to import the same certificate twice.
Removed – please use the forums if you have questions about other topics
Removed – please use the forums if you have questions about other topics
Hi
Have a query where i have a single server with client access roles and two serves in a dag with mailbox and hub roles. I have purchased a comodo SSL Certificate for the domain and have assigned the roles, OWA, OMA and Activesync working ok.
Have created a GPO to distribute the certificate to the clients, verified it has been distributed yet the outlook clients still prompt for a certificate.
Any ideas ?
They prompt for a certificate? Or they prompt with a certificate warning?
If it is a warning you’ll need to tell us more about the exact warning that is given before any advice can be provided. Different warnings mean different things.
Hey men,
First of all thank you so much for the info posted. Very helpful and very well formed.
But still i have a small problem. When i am trying to import the certificate, it says:
“The source data is corrupted or not properly Base64 encoded.”
What i must do?
Thank you
Hi Paul,
the prompt is outlook window with the security alert, the reason i suspect it is appearing is that the Name on the security certificate is invalid or does not match the name of the site.
Hi Pul,
I have a test exchange server at home and configure the SSL certificates from 3rd Party CA. The senario is I have got 2 certificates from 2 different CAs
1. mail.domain.com (Service for OWA, activesync)-Geotrust CA
2. exch1.domain.com (Service for autodiscover)-SSLcert CA.
Now the issue is when I assign the IIS and SMTP service to mail.domain.com certificate, I can access OWA, activesync on my android phone without any issues since it shows the mail.domain.com certificate but autodiscover service doesnt run since it says certificate is not valid for exch1.domain.com.
And when I assign the below services to exch1 certificate, I can test autodiscover and it works well but owa and activesync doesnt run because certificate is not valid message comes.
I am just using free SSL cert service because for testing purpose. Problem with free SSL is that it can only give you a certificate for single hostname and not mutiple. Can you suggest me how to fix the issue.
The problem is that only one cert can be assigned to IIS at a time. So if you use cert 1, then Autodiscover (which is a web service using HTTPS) has the wrong certificate, and then if you use cert 2 then all the other web services have the wrong certificate.
The best solution is to use a SAN certificate, which I’ve described in more detail here:
http://exchangeserverpro.com/exchange-2010-ssl-certificates
Being new to Exchange 2010 I decided I didn’t need to purchase a SAN certificate, so instead I only purchased a certificate for webmail.mydomain.com. I have now learnt that Outlook would be much happier if I had a trusted certificate for autodiscover.mydomain.com.
So, I am trying to add a new certificate for autodiscover.mydomain.com using EMC. Under Exchange Configuration the only thing I have ticked is Autodiscover on the Internet, and I have specified my autodiscover URL. However when I click next I get an error like this:-
Some controls aren’t valid.
Looking at your comment just above, does this mean I cannot add an additional cert, I’ve got to scrap the one I’ve got already and replace it with a SAN cert?
– Input String cannot be empty.
– Input String cannot be empty.
You’re seeing that error because you haven’t filled out the rest of the new certificate wizard mandatory fields.
To answer your question, all of the Exchange web services such as OWA, ActiveSync, Autodiscover and so on are served off one IIS website. An IIS website can only have one SSL cert bound to it. Therefore, you can only use one cert for Exchange, hence the use of SAN certs.
However, you can create an additional IIS website and create new virtual directories off that for different Exchange web services, and have a different SSL cert bound to that website. But since you’re new to Exchange I wouldn’t recommend it, and to be honest even experienced people tend to stick to just one IIS website and use a SAN cert for ease of deployment and administration.
Thanks for your response Paul, much appreciated.
It sounds like one SAN cert is the way to go. I will contact the certificate issuer and see if I can upgrade it so I don’t waste my money.
When buying my SAN cert, do I need to include my internal domain names? I guess if I’m using OWA internally I need to buy mail.mydomain.local. What about autodiscover? Everybody in our company has an external SMTP address as their primary email address, so do we need autodiscover.mydowmain.local? And if so, what happens when we add further Exchange servers to our expanding domain? If we have many Exchange servers and shared DNS then doesn’t that mean we will need many internal autodiscover addresses?
Sorry for all the noobie questions.
Internally the autodiscover names are the FQDN of the CAS, or at least by default.
Generally speaking for your SAN cert you’ll need:
- the FQDN of each CAS
- the Autodiscover name for each primary SMTP namespace
- the DNS name for OWA, ActiveSync, and Outlook Anywhere
So, for example:
server.domain.local
autodiscover.domain.com
mail.domain.com
Your SAN cert can include all CAS, or you can do a different cert per CAS. If you add a CAS later on you can provision a new SAN cert, or if your cert provider allows it re-issue the existing cert with the additional name. Digicert is very flexible when it comes to situations like that, as well as situations where you might make a mistake and leave a name off by accident.
Hi Paul, just a quick question. I have a single server Exchange 2003/Outlook 2010 environment and I’m about to transition to Exchange 2010, once I build my Exchange 2010 server with the typical components will my clients start receiving certificate errors prior to me installing a SAN certificate or will this only happen if I migrate the mailbox onto Exchange 2010?
Thanks
Stephen.
Yes they may, which is explained in a bit more detail here:
http://exchangeserverpro.com/autodiscover-ssl-warnings-exchange-2010-migration
Hi Paul,
We implementing a Exchange 2003 transition to 2010.
They currently use a Entrust cert for owa, with say mymail.mydomain.co.my
Now we would like to keep this owa site the same when we switch to 2010.
Can i include this mymail.mydomain.co.my in my SAN cert without revoking or changing the original cert on 2003?
So SAN cert name would be for mail.mydomain.co.my but include mymail.mydomain.co.my
Will this work?
Hi Paul,
Great read, but I do have one question. How does one go about recreating the default 5 year SSL certificate for exchange 2010. I have found loads on creating the 1 year self-cert. ones but nothing for the 5 year one that Exchange 2010 creates for itself when setting up. I far as I know, this is done through Exchange Management Shell.
The new-exchangecertificate cmdlet has a -GenerateRequest parameter that determines whether the cmdlet will generate a request for a CA or a self-signed cert.
Read more about it here:
http://technet.microsoft.com/en-us/library/aa998327.aspx