Clicky

I have been reading solutions to this problem for a week now and I'm still not able to figure out this certifciate stuff.  My migration from WinServer2K3/Exchange2007 to WinServer2K8/Exchange 2010 had been going well until this error started popping up for every user who I moved a mailbox from old to new server.

I understand that I need a CA and I've installed it on one of my DCs.  I just don't understand the details of the connection between between the CA and the Exchange Server.

I see that my Exchange server has a default unsigned certificate and I can see the new certificate I can create on my Exchange server, but I don't get how the CA trusts this new certificate and I don't see how my workstation will trust it.  Nor do I understand how to get it into my trusted store.

OWA works like a champ, this cert error only shows up when I try to connect with my 2007 clients to the Exchange 2010 server.

Thanks in advance.

asked 10/11/2011 03:26

aarontheyoung1's gravatar image

aarontheyoung1 ♦♦


17 Answers:
In Exchange you will need to create the new UCC san cert with all the domain and subdomain names you are using in your Exchange network.

Your best option is to buy the SAN cert from godaddy for $89, it is much easier for you and your users.

Depending on your environment the Enterprise CA is different, if you let me know I can point you in the right direction.

Once you get the CA cert installed you won't get that error anymore.  Exchange 2010 also requires the SAN cert to get full functionality out of your server.
link

answered

madhatter5501's gravatar image

madhatter5501


My environment is very simple.  One Exchange Server will be the end result.  One domain.  My Exchange 2007 server will go away after I migrate everyone.

I've two DCs and the CA is on one of them.  How does buying the cert make it easier?  $89 is pretty cheap so if you're telling me it's plug and play if I buy it, I'll be sold.

However, it'd be nice to understand what is going on.

1.  How do I generate the CA cert
2.  How do I install it on the Exchange Server?

Thanks!
link

answered 2011-10-11 at 11:36:35

aarontheyoung1's gravatar image

aarontheyoung1


I have a CA Exchange Issued Certificate on the DC that is the CA.  I can open that certificate and do a copy to a file and I've created a "ExportedCert.cer" file.  Now what?
link

answered 2011-10-11 at 11:43:24

aarontheyoung1's gravatar image

aarontheyoung1

in the emc under server config, there should be an option to complete pending certificate request, a wizard will open and walk you through the process.

The reason that buying a public cert is easier is because the clients will already have the trust established with godaddy in there certificate store, using an inside ca, you will have to install the cert manually to each client.
link

answered 2011-10-11 at 11:45:26

madhatter5501's gravatar image

madhatter5501


I've tried to run this wizard, but it always fails and tells me that a certificate with thumbprint <LONG THUMBPRINT> already exists.

Ah, GoDaddy is already in my Windows 7 Workstation certificate store?  When did that happen?
link

answered 2011-10-11 at 11:53:51

aarontheyoung1's gravatar image

aarontheyoung1

How do I generate a new certificate request with a new thumbprint?  I'm using:

new-exchangecertificate -FriendlyName "Franklin 2010 Cert" -IncludeServerFQDN
-GenerateRequest  -PrivateKeyExportable $true

link

answered 2011-10-11 at 12:03:14

aarontheyoung1's gravatar image

aarontheyoung1

happens by default, its included with the OS
link

answered 2011-10-11 at 12:06:37

madhatter5501's gravatar image

madhatter5501


GoDaddy is going to cost us $89/year.  We sure would like to avoid that cost.  I thought it was a one time thing.  Can you help me with the steps to get the cert into the Exchange Server?  I can't get past this thumbprint problem.  Do I have to remove ALL certificates from the Exchange Server that are currently there?  Even my self-signed one?
link

answered 2011-10-11 at 12:09:28

aarontheyoung1's gravatar image

aarontheyoung1


Well, I created a completely new certificate on my CA and selected it to map to the cert request on my Exchange server and it completed with out errors.  HOWEVER, It's status is still PENDING.  Am I getting any closer?
link

answered 2011-10-11 at 12:45:10

aarontheyoung1's gravatar image

aarontheyoung1

did you run the pending request wizard in exchange?

no you don't need to remove the self-signed cert
link

answered 2011-10-11 at 13:08:06

madhatter5501's gravatar image

madhatter5501


Yes, I ran the Complete Pending Request on the Exchange 2010 Server.  Finished with no more thumbprint error.   Status still shows it as "This is a pending certificate signing request"
link

answered 2011-10-11 at 13:21:51

aarontheyoung1's gravatar image

aarontheyoung1

try restarting the emc
link

answered 2011-10-11 at 13:24:30

madhatter5501's gravatar image

madhatter5501

No change.  Still pending.
link

answered 2011-10-11 at 13:26:28

aarontheyoung1's gravatar image

aarontheyoung1

Looks like internal URL pointing error.Try to point the internal URL  matching to the certificate.
link

answered 2011-10-11 at 13:40:15

senthil1_kumar's gravatar image

senthil1_kumar

I'm not sure what you mean by "point the internal URL matching to the certificate"  The Internal URL of what?  
link

answered 2011-10-11 at 14:05:41

aarontheyoung1's gravatar image

aarontheyoung1

I resolved this by getting a godaddy.com certificate and got technical support through them.
link

answered 2011-10-12 at 19:32:46

aarontheyoung1's gravatar image

aarontheyoung1

None.

link

answered 2011-12-12 at 07:44:13

aarontheyoung1's gravatar image

aarontheyoung1

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1
×70
×21

Asked: 10/11/2011 03:26

Seen: 337 times

Last updated: 12/16/2011 05:19