Hi, I have a new installation of exchange 2007 and I have seeming set things up correctly. If I visit \\server\owa I get a mesaage that the server certificate is wrong: There is a problems with this websites secuirity certificate; The security certificate presented by this website was not issued by a trusted certificate authority; The security certificate presented by this website was issued for a different websites address. If I click on continue to use this website, it all works. BUT, I'm not sure what to do now to get a correct certificate. Is it possible to get the server to issue a certificate, if so which server (DC controller is xyz04 and exchange box is xyz05) can anyone advise. Further, presently I'm using ourdomainname.com as the internal server domain address whereas our website is hosted on ourdomainname.co.uk but I have bought .com so no-one else can use it. Does thecertificate need to reflect this info? Sorry this a load of questions, but I'm stuck now!! Many thanks, NEIL

Please read these two articles to understand how certificates work: http://technet.microsoft.com/en-us/library/bb851554 & http://technet.microsoft.com/en-us/library/bb851505

OK, that starts to make sense. So can I create a PKI myself or do I need to goto a CA? I do need to support exchange activesync and (hopefully) Outlook. Cheers, NEIL

If you need to support ActiveSync that means your mobile phones will need to trust the issuer of the certificate. You can install the certificates manually to each phone, and that will create this trust, or use a certificate thats already trusted by the mobile OS. Below are examples of trusted roots for Windows Mobile. You can Google for Iphone or Palm on your own: The following root certificates are installed on a Windows Mobile-based device: Class 2 Public Primary Certification Authority (VeriSign, Inc.) Class 3 Public Primary Certification Authority (VeriSign, Inc.) Entrust.net Certification Authority (2048) Entrust.net Secure Server Certification Authority Equifax Secure Certification Authority GlobalSign Root CA GTE CyberTrust Global Root GTE CyberTrust Root Secure Server Certification Authority (RSA) Thawte Premium Server CA Thawte Server CA http://support.microsoft.com/kb/915840 PS. I use godaddy often because they are the cheapest. But when I want something I trust a little more I use Entrust or Thawte.

As an additional information, if you would like create a self-signed certificate, you can refer the following steps: 1.First Lets generate a new certificate for SMTP Service: new-ExchangeCertificate -generaterequest -domainname <FQDN> -path c:\certreq.txt Note: - The first domain name in the in the -DomainName parameter will be the Issued To if you don't specify the -Subject parameter. - The domainname should fully match the old domain name field. 2. Open CA URL, click Request a certificate, then Advanced certificate request, then Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file. 3. Copy the contents of the certreq.txt file in the field under Saved Request. 4. Select Web Server under Certificate Template. 5. Click Submit. 6. Click Download certificate and save the CER file to the C: drive. 7. Remove the current SMTP certificate: Remove-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXX 8. Import the new certificate: import-Exchangecertificate -path c:\certnew.cer |enable-exchangecertificate -services SMTP 9. Restart Microsoft Transport Service, and then test the issue. Related articles share with you: How Change the certificate validity period from the default of one year http://support.microsoft.com/default.aspx?scid=kb;EN-US;239539 How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority http://support.microsoft.com/default.aspx?scid=kb;EN-US;254632 Exchange 2007 New-ExchangeCertificate http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx

Hi Elvis, OK I've created my certreq.txt not sure what you mean by 'open CA URL' - which url? Neil

Hi, It should be yourservername/certsrv. Please install Certificate service in Add/Remove programs firstly, or the page could not be displayed. Thanks, Elvis