Announcement

Collapse
No announcement yet.

What certs should I have in Exchange 2013

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • What certs should I have in Exchange 2013

    I created a Certificate Authority on our network to handle Exchange certificates. When I look in the certificate store in the Exchange Administrative Center I see 3 certificates. The one I used to self-sign during installation, the one I created utilizing the local CA, and another cert I don't know what that is. See the attachment.

    The first cert is the one from the CA. Now in the "issuer" line the first field is
    cn=c2sddc2-ca, cn...... The c2sddc2-ca is not the machine name of the CA. You'd remove the '-CA' to get the machine name, so is the name I have incorrect? That's the name given when I installed Certificate Services. Plus this cert only handles services IMAP, POP. Is this okay? Why isn't this cert handling IMAP, POP, IIS, SMTP like the 2nd cert? I know I selected all services.

    The second cert is the self signed cert and handles service IMAP, POP, IIS, SMTP.

    The third cert I have no idea why it's there. So are there certs I can delete here? I am having trouble getting Outlook 2010 to connect.
    Attached Files

  • #2
    Re: What certs should I have in Exchange 2013

    Do you have 100% control of all client connections to Exchange?

    IE - are you blocking OWA from any machines that are not members of your domain?

    If the answer to that is no, then using an internal CA was the wrong choice for Exchange certificates. You should use an external trusted SSL provider.
    Otherwise your end users will get prompts about an untrusted SSL certificates - and with all of the headlines over SSL in recent months (heart bleed) that is not a good idea.

    To answer your specific question, it is difficult to say - I don't use internal CA issued certificates for any reason whatsoever - even my lab systems have trusted certificates on them (using free single name certificates).

    Most Exchange servers will have two certificates on them at least - a certificate for IIS, IMAP and POP, which will have the public names on it, and another internal certificate for SMTP which will be for the internal server name only.

    Almost certainly the problem with Outlook clients you are having is down to trusting the certificate. No trust and Outlook will fail to connect.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: What certs should I have in Exchange 2013

      Yes I have control over all PC's and al lare on the domain. This is an isloated network with no Internet access. I saw it done the way I describe on other posts.

      Tell a rusty certificate buy why this is bad?

      Why isn't the local CA trusted? I just read that in an AD Enterprise Certificate configuration all domain machines automatically trust the CA.

      How, then, do you define trusted?

      PS I had done it without a local CA and used another self signed cert off the exhange server and that did not work either.

      So obviously I am missing something so how do I fix it?
      Last edited by araczek; 28th May 2014, 18:45.

      Comment


      • #4
        Re: What certs should I have in Exchange 2013

        Usually if you are using an internal CA you would publish the root certificate to the domain so that the domain clients trust it. However I have no idea how you go about that as I have never done it.
        Isolated Exchange servers are very rare, I think I have only deployed one in over ten years of working with Exchange.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment

        Working...
        X