We've started to deploy a few Outlook 2010 clients into our Exchange 2007 world and we've noticed the default certificate behavior with Outlook 2010. When clients first open their Outlook 2010, they get a warning that "The security certificate was issued by a company you have not chose to trust. View the certificate to determine whether you want to trust the certifying authority." The cert we have on our Exchange 2007 server was self-generated and so it appears that Outlook 2010 does not trust it unless we install the cert into the Trusted Root Cert store. I'm thinking I have two ways to go to fix this. 1. Find a way to put the cert we have now into each user's cert store, say by Group Policy. 2. Since we are in a AD domain, submit a cert request to our own Microsoft CA and take that cert and add it to our users systems via Group Policy. I'm interested in what others are doing in cases like this.Orange County District Attorney

The simple way is to just buy a trusted certificate. The same certificate works for OWA, ActiveSync, Outlook Anywhere etc. When you can get the required certificate type for less than US$80/year, anything else doesn't make sense. The self signed certificate that Exchange 2007 deploys when installed is only designed as a place holder. I wouldn't even consider installing it on the clients as it just creates an admin nightmare. You could use your own CA, but unless you have control over 100% of the clients (so aren't allowing the use of OWA) then you will continue to get security warnings. Telling users to ignore security warnings isn't really a good idea. This problem also occurred with Outlook 2007, so I guess if you are only seeing it now, you must have skipped that version. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Outlook 2010 no longer skips the trust validity check: http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/ If those CAS are internet-facing, 3rd party certificates are the way to go. You can use an internal PKI , but I would only recommend that if the CAS is not internet facing and the only clients that connect to it are internal, domain-joined clients.

Thanks for the great information. Right now, our CAS are internal and all our clients are domain joined. We're going to opt to use our Microsoft CA (we're goverment and we have no money) since the price is right.Orange County District Attorney