Announcement

Collapse
No announcement yet.

Exchange 07 Certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 07 Certificate

    I use third party certificate for my exchange environment. But everytime I open my outlook client I got this Security Alert message:

    exch-cas.my.domain
    Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.

    (Green Checked) The security certificate is from the trusted certifying authority.
    (Green Checked) The security certificate date is valid.
    (Red X) The name on the security certifcate is invalid or does not match the name of the site.

    Do you want to proceed?

    Does anyone how know how to get this issue resolved?
    Thanks for the input.

    HN

  • #2
    Re: Exchange 07 Certificate

    I would first verify that an intermediate certificate has been installed on the Exchange server should the 3rd Party SSL provider require one.

    Also, check the current status of SSL certificates by running this command within the Exchange Shell.

    Get-ExchangeCertificate | fl | out-file -filePath c:\certs.txt

    Comment


    • #3
      Re: Exchange 07 Certificate

      This message indicates that the name of the certificate does not match the name with which the site is configured for access.

      Either configure access for you Exchange and get a certificate corresponding to that names or plan the names for the certificate get it and configure the names for your Exchange appropriate to the certificate.

      Comment


      • #4
        Re: Exchange 07 Certificate

        Teams,

        I'm kinda lost here, is this meant I have to buy another certificate? I'm been spending alots of money with verisign to get the certicate for exchange 07. is there an easy way to manually fix it without buying another certificate?

        Here what I have..

        I got a certificate for:
        mail.mydomain.com
        autodiscover.mydomain.com

        is this error indicate that I do have a certicate to many my internal CAS server? do I need to get another certificate for my internal mail server which is call Mail-Exch.local?

        Thanks,
        H.N

        Comment


        • #5
          Re: Exchange 07 Certificate

          Check Sembees posts on Exchange 2007 certificates
          You need a SAN (subject alternative name) certificate with 4 or 5 names on it

          Price (from e.g. godaddy.com) should be about $60 per year -- more than that and you are being royally s****ed

          Are you getting the error inside your LAN or from outside?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Exchange 07 Certificate

            Originally posted by Ossian View Post
            Check Sembees posts on Exchange 2007 certificates
            You need a SAN (subject alternative name) certificate with 4 or 5 names on it

            Price (from e.g. godaddy.com) should be about $60 per year -- more than that and you are being royally s****ed

            Are you getting the error inside your LAN or from outside?
            This error popup when I open my outlook client inside my LAN
            Yes, I do have certificate with SAN, but only got these two certifcate:
            https://mail.mydomain.com
            https://autodiscover.mydomain.com

            do I need another SAN certificate for my internal CAS server to match the server name?

            Thanks,
            H.N

            Comment


            • #7
              Re: Exchange 07 Certificate

              http://blog.sembee.co.uk/post/Exchan...es-Take-2.aspx

              Thank you
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Exchange 07 Certificate

                Originally posted by Virtual View Post
                I would first verify that an intermediate certificate has been installed on the Exchange server should the 3rd Party SSL provider require one.

                Also, check the current status of SSL certificates by running this command within the Exchange Shell.

                Get-ExchangeCertificate | fl | out-file -filePath c:\certs.txt
                This is what I got when I ran the follwoing command:

                AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
                .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                ty.AccessControl.CryptoKeyAccessRule}
                CertificateDomains : {Mail.mydomain.com, AutoDiscover.mydomain.com}
                HasPrivateKey : True
                IsSelfSigned : False
                Issuer : CN=***** Class 3 Extended Validation SSL SGC CA, OU=Ter
                ms of use at https://www.******.com/rpa (c)06, OU=VeriSi
                gn Trust Network, O="*****, Inc.", C=US
                NotAfter : 5/23/2012 7:59:59 PM
                NotBefore : 5/23/2010 8:00:00 PM
                PublicKeySize : 2048
                RootCAType : ThirdParty
                SerialNumber : 87D8E71368D1G372C71607K495959864
                Services : IMAP, POP, IIS, SMTP
                Status : Valid
                Subject : CN=Mail.mydomain.com, OU=Terms of use at www.******.com/r
                pa (c)05, OU=Mail.mydomain.com, O=myOU INC., L=MyCity, S=
                mystate, C=US, SERIALNUMBER=731130, OID.2.5.4.15="V1.0, Cl
                ause 5.(b)", OID.1.3.6.1.4.1.311.60.2.1.2=mystate, OID.1.3
                .6.1.4.1.311.60.2.1.3=US
                Thumbprint : 995C52D4E5D41257D5455DBFBC01B9B54786BAF1
                AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
                .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                ty.AccessControl.CryptoKeyAccessRule}
                CertificateDomains : {mail-exch-cas, mail-exch-cas.domain.local}
                HasPrivateKey : True
                IsSelfSigned : True
                Issuer : CN=mail-exch-cas
                NotAfter : 5/17/2011 4:31:31 PM
                NotBefore : 5/17/2010 4:31:31 PM
                PublicKeySize : 2048
                RootCAType : None
                SerialNumber : 8FC9C3E14D2D2DA44B93C82DF5B6BDEC
                Services : SMTP
                Status : Valid
                Subject : CN=mail-exch-cas
                Thumbprint : 3C08F9D44E84A7CFBC3911C59KIP96499FEF6547

                Comment


                • #9
                  Re: Exchange 07 Certificate

                  I see. It looks as if the certificate is being used. I would suggest the following.

                  Find out from the 3rd Party certificate provider whether you purchased a SAN and see if you can have it re-issued and this time, add additional names in accordance with Sembee's procedure that Ossian has provided a link to.

                  Comment


                  • #10
                    Re: Exchange 07 Certificate

                    Originally posted by Virtual View Post
                    I see. It looks as if the certificate is being used. I would suggest the following.

                    Find out from the 3rd Party certificate provider whether you purchased a SAN and see if you can have it re-issued and this time, add additional names in accordance with Sembee's procedure that Ossian has provided a link to.

                    I did purchase a SAN. but i did not purchase for the internal server name "mail-exch-cas" do I need to get a SAN name to match this server name?
                    is there away that I can use local cert. for internal name(mail-exch-cas)?

                    Comment


                    • #11
                      Re: Exchange 07 Certificate

                      I don't believe you can. If I was you, request another certificate. Send them another CSR and this time include all the required names. You will probably find they may do it free of charge.

                      I tend to use wildcard certificates as it allows me to then use it with the SharePoint, external websites and Exchange. The only issue is with it not being usable with POP3 and IMAP in Exchange 2007. You can change some name mappings in Exchange 2010.

                      The wildcard I purchase gives me a license for installation on 3 separate servers. I send CSRs off for the re-issue on the other servers and I get a certificate free of charge.

                      In your case, you are best looking into a re-issue of the SAN. Also, you usually have 7 days to trial a certificate, so you can then get a full refund if required.

                      Comment


                      • #12
                        Re: Exchange 07 Certificate

                        If I need to get another Cert. which one should I get? Im currently has 2 two cert.
                        1. mail.mydomain.com
                        2. autodiscover.mydomain.com

                        Here is my exchange 07 layout.

                        mail-exch-cas ---> HUB/CAS/Trasport roles
                        mail-exch---------> Cluster name for database
                        mail-exch-1------>Database(Active/passive)
                        mail-exch-2------->Datase(Active/passive)

                        When my outlook client connected to, it connected to "mail-exch"

                        then error message popup "The name on the secruity cerificate is invalid or does not match the name of the site." is this error complaining internal site or external site?

                        Comment


                        • #13
                          Re: Exchange 07 Certificate

                          You don't have the name of the Exchange server on the SAN certificate. mail-exch.domain.local. Review the link that Ossian gave you and carry out the steps in Sembee's procedure.

                          Comment

                          Working...
                          X