SSL Certificate

Dear all,

on our Exchange 2013 have the self signed Certificate that exchange Generate the first time we install it.

lately we applied a new SSL and its implemented .

Can i delete the self signed certificates or just leave them there ? or just unassign their services ?

thank you


  • Edited by Julien.AG Friday, March 13, 2015 10:04 PM
March 13th, 2015 10:02pm

Hi Julien,

Since the services have been assigned to the new SSL certificate properly. Please make sure all needed namespaces in Exchange server have been included in your new certificate. Then the self-signed certificate can be safely ignored in CAS server.

I suggest we don't need to do any changes for self-signed certificate and just leave them there.

Regards,

Free Windows Admin Tool Kit Click here and download it now
March 16th, 2015 7:10am

I agree with Winnie. I wouldn't delete any of the self signed Certificates.  There's no harm in leaving them there.
March 16th, 2015 11:23am

Thank you so much all for your answer.

i am having one issue. everytime i open outlook its pops up with the self sign certificate "ex.domain.lan"

i add the certificate to the trusted host,

once outlook is restarted the same security alert pops up 

Ex.domain.lan

Information you exchange with this site cannot be viewed or c hanged by others, however, there is a problem with the site's security certificate 

X tge name on the security Certificate is invalid or does not match the name of the site

as i understand from the message, the SSL is using the DNS name of the exchange webmail.domain.com

but the already configured Outlook is using the Ex.domain.com

i've changed the exchange Proxy to the name assigned on the external Certificate but no fix 

any suggestions how can i fix this thank yu


  • Edited by Julien.AG 15 hours 25 minutes ago
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2015 11:56am

Run the following: 

Get-OutlookProvider

Get-OutlookAnywhere | fl *name, *host*

Get-ClientAccessServer | fl name, *uri*

See if any of these return a .local address.

March 16th, 2015 1:27pm

Run the following: 

Get-OutlookProvider

Get-OutlookAnywhere | fl *name, *host*

Get-ClientAccessServer | fl name, *uri*

See if any of these return a .local ad

Free Windows Admin Tool Kit Click here and download it now
March 16th, 2015 2:08pm

For Outlook Anywhere  run:

Set-OutlookAnywhere -Server <ServerName> -InternalHostname mail.domain.com
(Note, you will probably have to add -InternalAuthenticationMethod and -InternalClientsRequireSSL switches, I didnt include them b\c I don't know what theyre set for in your environment

For Autodiscover: 

Set-ClientAccessServer -Identity <ServerName> -AutodiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml

I would do this off hours, so you do not interrupt users during the day being that they are already connected.

You may want to take a look at your OWA, ECP, and EAS virtual directories and mke sure they point to mail.domain.com and not ex.domain.lan otherwise they will get cert errors as well.

March 16th, 2015 3:03pm

For Outlook Anywhere  run:

Set-OutlookAnywhere -Server <ServerName> -InternalHostname mail.domain.com
(Note, you will probably have to add -InternalAuthenticationMethod and -InternalClientsRequireSSL switches, I didnt include them b\c I don't know what theyre set for in your environment

For Autodiscover: 

Set-ClientAccessServer -Identity <ServerName> -AutodiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml

I would do this off hours, so you do not interrupt users during the day being that they are already connected.

You may want to take a look at your OWA, ECP, and EAS virtual directories and mke sure they point to mail.domain.com and not ex.domain.lan otherwise they will get cert errors as

Free Windows Admin Tool Kit Click here and download it now
March 16th, 2015 3:37pm

Thank you so much all for your answer.

i am having one issue. everytime i open outlook its pops up with the self sign certificate "ex.domain.lan"

i add the certificate to the trusted host,

once outlook is restarted the same security alert pops up 

Ex.domain.lan

Information you exchange with this site cannot be viewed or c hanged by others, however, there is a problem with the site's security certificate 

X tge name on the security Certificate is invalid or does not match the name of the site

as i understand from the message, the SSL is using the DNS name of the exchange webmail.domain.com

but the already configured Outlook is using the Ex.domain.com

i've changed the exchange Proxy to the name assigned on the external Certificate but no fix 

any suggestions how can i fix this thank yu


  • Edited by Julien.AG Monday, March 16, 2015 3:57 PM
March 16th, 2015 3:54pm

EAC = Exchange Admin Center.  You can make the changes there or via the shell.  but no
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 6:18am

What's the error you get when you run the command?
March 18th, 2015 8:19am

Please help on this,

becoming annoying now !

Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 8:19am

Did you cycle IIS?  What happens when you try to create a brand new outlook profile.  Also, can you do a test email config with Outlook (make sure you uncheck the guesssmart options) and see if autodiscover is still returning any .local addresses?
March 18th, 2015 8:24am

Did you cycle IIS?  What happens when you try to create a brand new outlook profile.  Also, can you do a test email config with Outlook (make sure you uncheck the guesssmart options) and see if autodiscover is still returning any .local
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 9:33am

Go to results and look at the addresses... anything show as .local? Is there only 1 exchange server involved?
March 18th, 2015 9:46am

Go to results and look at the addresses... anything show as .local? Is there only 1 exchange server
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 10:04am

Probably more on the Outlook Side of things, it doesn't query autodiscover all the time, it does it on a specific interval (i forget what it is offhand). When you create a new profile that has to go through autodiscover and get the new settings.  So that's probably why it worked.
March 18th, 2015 11:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics