Windows – Certificate error: The name in the certificate does not match…, Outlook client using .local

domain-name-systemexchangessl-certificatewindows

We have recently had to decommission our .local certificate from Godaddy, as it will not be valid anymore. The new certificate contains the following names:

  • mail.mydomain.com
  • autodiscover.mydomain.com

This certificate has been applied to the Exchange server and activated for all services.

I was expecting clients to get errors on the certificate as they are connected to the mail.mylocaldomain.local name. I have read a lot of documentation and they all pretty much say the same thing:

  1. add new zone on local DNS server with the public domain (I added a zone mydomain.com)
  2. add a record A pointing to the local ip of the email server (I added mail.mydomain.com pointing to local IP of the server)

I have issued these commands:

Set-ClientAccessServer -Identity EXCHANGE-MAIL -AutodiscoverServiceInternalUrihttps://mail.publicdomain.co.uk/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity “EXCHANGE-MAIL\EWS (Default Web Site)” –InternalUrlhttps://mail.publicdomain.co.uk/EWS/Exchange.asmx
Set-OABVirtualDirectory -Identity “EXCHANGE-MAIL\OAB (Default Web Site)” -InternalURL https://mail.publicdomain.co.uk/OAB
Set-ActiveSyncVirtualDirectory -Identity “EXCHANGE-MAIL\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURLhttps://mail.publicdomain.co.uk/Microsoft-Server-Activesync
Set-WebServicesVirtualDirectory –Identity ‘EXCHANGE-MAIL\EWS (Default Web Site)’ –ExternalUrlhttps://mail.publicdomain.co.uk/ews/exchange.asmx

with the proper names in them, but my clients are still getting the certificate error.

Why?

Best Answer

Your Exchange server's FQDN (Fully Qualified Domain Name) is still hostname.domainname.local, hence the clients connect to it, see that the name of the server they are connecting to does not match either the name, nor the SANs (Subject Alternative Names) on the certificate you have, and throw that error, as they are designed to do.

The easiest solution (by a wide margin) is to perform an Exchange migration to get your Exchange server onto a properly named domain for which you can get a certificate issued from a trusted public certificate authority.

See this thread on Active Directory best practices, it is one of several we have on the subject. Your Active Directory DNS name should be an unused subdomain of your publicly registered domain name. Once you have that in place, migrate your Exchange server to it, and get a certificate issued which includes your new Exchange server's FQDN, for which you will be able to obtain a certificate.

Related Topic