Hello, is the self created Exchange certificate good to be used for Outlook Anywher ? The only strange thing that I see is that it is named for the internal hostname of the mail server instead for mail.xxx.com which might be the reason why I am getting error 10 when Outlook is trying to connect using Outlook Anywhere ? How can I fix this error pls

You can not use the default Exchange self-signed certificate for Outlook Anywhere. ( Not only wont it work, its a really bad idea!) http://technet.microsoft.com/en-us/library/dd351044.aspx When you install Exchange 2010, a self-signed certificate is automatically configured. A self-signed certificate is signed by the application that created it. The subject and the name of the certificate match. The issuer and the subject are defined on the certificate. A self-signed certificate will allow some client protocols to use SSL for their communications. Exchange ActiveSync and Outlook Web App can establish an SSL connection by using a self-signed certificate. Outlook Anywhere won't work with a self-signed certificate. Self-signed certificates must be manually copied to the trusted root certificate store on the client computer or mobile device. When a client connects to a server over SSL and the server presents a self-signed certificate, the client will be prompted to verify that the certificate was issued by a trusted authority. The client must explicitly trust the issuing authority. If the client confirms the trust, then, SSL communications can continue.

Ok so OWA and ActiveSynch will accept and work with the self-signed certificate created by Exchange however for Outlook Anywhere it won't. So when I create a certificate request I have to name it mail.xxxx.com as I want to make sure the certificate will point to the correct domain name.

You'll need to include all the possible FQDNs if you are creating a UCC cert.

Hi, The certificate must contain the external host name that you configured in outlook anywhere setup page. Outlook anywhere clients can still access Exchange with a self-sign certificate, but they will get the following error. To avoid such error, you have to manually install your certificate to the user's Trusted CA store: 1. Access your OWA by using HTTPS. When you receive the warning, click View Certificate. 2. In detail tab, click Copy to file, save the certificate on a local drive. 3. Double click the certificate (*.cer) you just saved and click "Install Certificate". 4. Select "Place all certificates in the following store". 5. Click Browse, select "Trusted Root certificate Authorities". Click Ok to install. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

yes but after I installed it I got error 10 The name on the security certificate is invalid or does not match the name of the target site mail.xxx.com The name of the OWA certificate shows only the name of the mail server by its hostname

You'll need subject entries in the cert that match the FQDN you are trying to connect to. Is mail.xxx.com listed as a subject in that cert?

no only the name of the internal Exchange server, it is the inbuilt self certificate

Ok, then you'll need to generate a correct certificate to handle the namespaces. 3rd party certs are the way to go.

thanks a lot so as a temporary solution I can generate a certificate from a local Certificate server with the Subject name of mail.xxx.com and install it on the client machines apart from the Exchange server, this way it should work

If the client machines already trust the local certificate server chain, then you are good. If they dont trust the chain, then each workstation will need any intermediate and root certs installed (either manually or with a GPO) . That's the reason 3rd party certs are preferred. They already have the certifcate chain installed locally for the well-known certificate vendors.