I've been battling this for sometime and cannot figure out how to resolve it.
Any guidance would be great! :)
I have a Exchange 2010 server running all of the roles except for the Edge Transport role.
Domain is 2008 R2 with Certificate role installed on domain controller.
I've followed through the process of generating a new certificate and applying it to the Exchange 2010 server. I followed this BLOG that appeared to be straight forward.
**These are inserts from a BLOG, I just modified for my environment.**
Generating a Certificate Request
In order to create a new certificate, you need to generate a certificate request using the New-ExchangeCertificate cmdlet. Once you have a certificate request generated, you can obtain a certificate from an internal Certificate Authority (CA) or a 3rd party external CA.
In this example, we’ll generate a request using two Subject Alternative Names (SANs). This will allow us to support multiple URLs with one certificate:
$cert = New-ExchangeCertificate -GenerateRequest -SubjectName “c=US, o=Litware, cn=mail.litware.internal” -DomainName owa.litware.internal,mail.litware.internal -PrivateKeyExportable $true
As you can see in the example, we’ve saved the output of the command in a variable called $cert. Next, export the data to a text file using the Out-File cmdlet:
$cert | Out-File c:\cert.txt
After the request has been saved in the text file, submit the request to a CA to obtain the certificate.
Installing a Certificate
After you obtain a certificate from a CA, you can install it on the Exchange server. To do this, you’ll need to use the Import-ExchangeCertificate cmdlet. The syntax would look something like this:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\cert.cer -Encoding Byte -ReadCount 0))
Now that the certificate is installed, you need to enable it and assign the services that it will be used for. I’ve found that the easiest way to do this is to pipe the output from Get-ExchangeCertificate to Enable-ExchangeCertificate. For example, let’s say I just installed a certificate that contains the domain name owa.litware.internal. I would use the following command to enable this certificate and assign the IIS and SMTP services on a CAS+Hub server:
Get-ExchangeCertificate -DomainName owa.litware.internal | Enable-ExchangeCertificate -Services IIS,SMTP
Keep in mind that when you enable the SMTP service for a certificate on a hub transport server, you will be prompted to overwrite the existing self signed certificate.
**These are inserts from a BLOG, I just modified for my environment.**
Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl https://nlb.nwtraders.msft/EWS/Exchange.asmx
Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB
Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”
Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync
When I open up Outlook the wonderful Security Alert pops up:
autodiscover.domain.org
Green Check Box
Green Check Box
Red X "The name on the security certificate is invalid or does not match the name of the site".
Any guidance would be great! :)
I have a Exchange 2010 server running all of the roles except for the Edge Transport role.
Domain is 2008 R2 with Certificate role installed on domain controller.
I've followed through the process of generating a new certificate and applying it to the Exchange 2010 server. I followed this BLOG that appeared to be straight forward.
**These are inserts from a BLOG, I just modified for my environment.**
Generating a Certificate Request
In order to create a new certificate, you need to generate a certificate request using the New-ExchangeCertificate cmdlet. Once you have a certificate request generated, you can obtain a certificate from an internal Certificate Authority (CA) or a 3rd party external CA.
In this example, we’ll generate a request using two Subject Alternative Names (SANs). This will allow us to support multiple URLs with one certificate:
$cert = New-ExchangeCertificate -GenerateRequest -SubjectName “c=US, o=Litware, cn=mail.litware.internal” -DomainName owa.litware.internal,mail.litware.internal -PrivateKeyExportable $true
As you can see in the example, we’ve saved the output of the command in a variable called $cert. Next, export the data to a text file using the Out-File cmdlet:
$cert | Out-File c:\cert.txt
After the request has been saved in the text file, submit the request to a CA to obtain the certificate.
Installing a Certificate
After you obtain a certificate from a CA, you can install it on the Exchange server. To do this, you’ll need to use the Import-ExchangeCertificate cmdlet. The syntax would look something like this:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\cert.cer -Encoding Byte -ReadCount 0))
Now that the certificate is installed, you need to enable it and assign the services that it will be used for. I’ve found that the easiest way to do this is to pipe the output from Get-ExchangeCertificate to Enable-ExchangeCertificate. For example, let’s say I just installed a certificate that contains the domain name owa.litware.internal. I would use the following command to enable this certificate and assign the IIS and SMTP services on a CAS+Hub server:
Get-ExchangeCertificate -DomainName owa.litware.internal | Enable-ExchangeCertificate -Services IIS,SMTP
Keep in mind that when you enable the SMTP service for a certificate on a hub transport server, you will be prompted to overwrite the existing self signed certificate.
**These are inserts from a BLOG, I just modified for my environment.**
Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl https://nlb.nwtraders.msft/EWS/Exchange.asmx
Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB
Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”
Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync
When I open up Outlook the wonderful Security Alert pops up:
autodiscover.domain.org
Green Check Box
Green Check Box
Red X "The name on the security certificate is invalid or does not match the name of the site".