exchange 2007 owa certificate
Hi,
I have a new installation of exchange 2007 and I have seeming set things up correctly. If I visit \\server\owa I get a mesaage that the server certificate is wrong:
There is a problems with this websites secuirity certificate; The security certificate presented by this website was not issued by a trusted certificate authority; The security certificate presented by this website was issued for a different websites address.
If I click on continue to use this website, it all works.
BUT, I'm not sure what to do now to get a correct certificate.
Is it possible to get the server to issue a certificate, if so which server (DC controller is xyz04 and exchange box is xyz05)
can anyone advise.
Further, presently I'm using ourdomainname.com as the internal server domain address whereas our website is hosted on ourdomainname.co.uk but I have bought .com so no-one else can use it. Does thecertificate need to reflect this info?
Sorry this a load of questions, but I'm stuck now!!
Many thanks, NEIL
August 27th, 2008 6:28pm
Please read these two articles to understand how certificates work:
http://technet.microsoft.com/en-us/library/bb851554
&
http://technet.microsoft.com/en-us/library/bb851505
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2008 7:25pm
OK, that starts to make sense. So can I create a PKI myself or do I need to goto a CA?
I do need to support exchange activesync and (hopefully) Outlook.
Cheers, NEIL
August 27th, 2008 10:46pm
If you need to support ActiveSync that means your mobile phones will need to trust the issuer of the certificate. You can install the certificates manually to each phone, and that will create this trust, or use a certificate thats already trusted by the mobile OS. Below are examples of trusted roots for Windows Mobile. You can Google for Iphone or Palm on your own:
The following root certificates are installed on a Windows Mobile-based device:
Class 2 Public Primary Certification Authority (VeriSign, Inc.)
Class 3 Public Primary Certification Authority (VeriSign, Inc.)
Entrust.net Certification Authority (2048)
Entrust.net Secure Server Certification Authority
Equifax Secure Certification Authority
GlobalSign Root CA
GTE CyberTrust Global Root
GTE CyberTrust Root
Secure Server Certification Authority (RSA)
Thawte Premium Server CA
Thawte Server CA
http://support.microsoft.com/kb/915840
PS. I use godaddy often because they are the cheapest. But when I want something I trust a little more I use Entrust or Thawte.
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2008 11:08pm
As an additional information, if you would like create a self-signed certificate, you can refer the following steps:
1.First Lets generate a new certificate for SMTP Service:
new-ExchangeCertificate -generaterequest -domainname <FQDN> -path c:\certreq.txt
Note:
- The first domain name in the in the -DomainName parameter will be the Issued To if you don't specify the -Subject parameter.
- The domainname should fully match the old domain name field.
2. Open CA URL, click Request a certificate, then Advanced certificate request, then Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file.
3. Copy the contents of the certreq.txt file in the field under Saved Request.
4. Select Web Server under Certificate Template.
5. Click Submit.
6. Click Download certificate and save the CER file to the C: drive.
7. Remove the current SMTP certificate:
Remove-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXX
8. Import the new certificate:
import-Exchangecertificate -path c:\certnew.cer |enable-exchangecertificate -services SMTP
9. Restart Microsoft Transport Service, and then test the issue.
Related articles share with you:
How Change the certificate validity period from the default of one year
http://support.microsoft.com/default.aspx?scid=kb;EN-US;239539
How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority
http://support.microsoft.com/default.aspx?scid=kb;EN-US;254632
Exchange 2007 New-ExchangeCertificate
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx
September 1st, 2008 9:23am
Hi Elvis,
OK I've created my certreq.txt not sure what you mean by 'open CA URL' - which url?
Neil
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2008 10:50am
Hi,
It should be yourservername/certsrv. Please install Certificate service in Add/Remove programs firstly, or the page could not be displayed.
Thanks,
Elvis
September 5th, 2008 11:15am