Good Afternoon Exchange Gurus,
I'm a little confused over Exchange 2010's implementation of certificates, and their implications of not having them set up correctly.
While I'm not new to Exchange, I am in the process of migrating from Ex 2003 to 2010. My problem comes from inheriting an internal contoso.net as our internal domain (we do not own it and contoso is not the actual domain name) and the external contoso.com, which we do own.
I have procured a UC cert from an external CA with SANs including mail.contoso.com, legacy.contoso.com, and our www.contoso.com. Imported it no problem. But obviously I cannot request the exchangeCAS.contoso.net from the CA as we do not own the contoso.net domain.
I exported the Self signed cert with key to a file to distribute via GPO, but when I run Exchange BPA, the top result is Certificate SAN mismatch - "The subject alternative name (SAN) of SSL certificate for https://exchangeCAS.contoso.net/Autodiscover/Autodiscover.xml does not appear to match the host address mail.contoso.com, legacy.contoso.com...
Assigning IIS services to the self signed, seems to remove it from the UC cert.
What's been pushing me to resolve the internal certificate issue is complaints from users (none have been moved to Ex2010 DBs yet) that they are getting certificate errors using Outlook 2003, 2010 internally. I even have one person in senior management getting prompted every 30 mins for credentials to the new Exchange 2010 DB backend server that has only the default system mailboxes on it from when Exchange was installed.
Currently the Self signed cert has SMTP assigned to it, the UC has SMTP and everything else.
Should all these problems go away when the GPO imports the SS cert into the clients' trusted root? And what should I do to quell the angry BPA?
Thank you,
Brad
B