Ssl – Exchange 2010 – SSL Certificate

exchange-2010sslssl-certificate

I've generated free certificate at StartCom for external OWA usage remote.domain.com. Problem is after installing it in Exchange, local users started getting errors from Outlook that Exchange.domain.local doesn't match the certificate name. Is there a way to use 2 different certificates. One for local usage thru Outlook MAPI and one for external usage thru OWA? It seemed to work fine with Exchange 2003 without a problem.

Best Answer

NETBIOS name of Exchange : ExchangeServerName
Internal FQDN (AD name) : exchangeserver.local
External FQDN (Public name) : remote.domain.com
Autodiscover name : autodiscover.remote.domain.com
SubjectName : cn=smtp.remote.domain.com

You should have the above on a Self Signed Certificate to work properly and you won't have that warning. Internal FQDN Name should be there.

In Exchange 2010, there is a certificate wizard via EMC (Exch. Mgmt. Console)
I would recommend to follow the tutorial on the link below (good one) :
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010

Hope that Helps

Related Solutions

Exchange 2010 Transport Certificate , Event ID 12014

You can expand any of the sections (doesn't matter) under the "Exchange Configuration" page of the new certificate wizard and just type in mail.mydomainhere.com, and hit next. The wizard is just trying to help make sure you've covered all of your bases, and helps you build a list of names if you're applying for a Unified Communications/SAN certificate.

The "Certificate Domains" page will list all of the names you are putting on the certificate. Since you are only applying for a single name, this should only show the name you entered on the previous page. Again, it doesn't matter which section you put the name under.

Fill out the rest of your organization info and the wizard will generate your CSR.

I generally recommend getting a UC cert that contains all of the names you need or will need for Exchange, so that you can assign one certificate to all services:

mail.domain.com (client access and transport TLS)
autodiscover.domain.com

You can handle autodiscover for any additional domains by using SRV records that point to autodiscover.domain.com.

Exchange 2010 – Certificate error on internal Outlook 2013 connections

Here are the steps to change the FQDN used by Outlook to connect to the server (sources: Godaddy, puryear)

Using the Exchange Management console change the internal URL of the different webservices:

Set-ClientAccessServer -Identity Your_Server_Name -AutodiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "Your_Server_Name\EWS (Default Web Site)" -Set-OABVirtualDirectory -Identity "Your_Server_Name\oab (Default Web Site)" -InternalUrl https://mail.domain.com/oab

Set-UMVirtualDirectory -Identity “Your_Server_Name\unifiedmessaging (Default Web Site)” -InternalUrl https://mail.domain.com/unifiedmessaging/service.asmx

Set-ActiveSyncVirtualDirectory -Identity "Your_Server_Name\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

The main thing to notice here is that your setting the internal URLs to be the same as the external URLs.

Best Answer

Related Solutions

Exchange 2010 Transport Certificate , Event ID 12014

Exchange 2010 – Certificate error on internal Outlook 2013 connections

Related Topic