Re: SBS 2003 certificate problem affecting Exchange

deubster <deubster@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

OK, sorry if I wasn't clear. The SBS 2003 server was put online 4 years ago,
with Exchange running in house. There was internet website except for the
default website used for OWA. The AD domain created was HUSA.local. A
domain name was registered for email purposes as HARDWARE-USA.COM, and the
name used for the MX record was MAIL.HARDWARE-USA.COM.

Now, mail.hardware-usa.com from the outside is the same server as
fredsrvr.husa.local from the inside. Email has worked fine, even OWA, as
mail.hardware-usa resolves properly to our router, which passes it to our
server.

Fast forward 3 years, the company decides it needs a website. It naturally
wants to call it WWW.HARDWARE-USA.COM. The site is hosted not on our own
server, but on our ISP's servers, a totally different IP.

That means you had a www.hardware-usa.com "A" record in DNS that
resolved to the IP address of your firewall, right? And
www.hardware-usa.com was what your users were putting into the addrsss
bar in their browsers to get to OWA. That's the only way you would
have been able to use the certificate without getting a warning that
there was a mismatch in the names.

Apparently, the certificate originally created years ago on our internal
SBS/Exchange server is for WWW.HARDWARE-USA.COM. This has been OK
(unnoticed) for OWA users for years, but the smart phones can't deal with the
certificate errors.

I don't think it went unnoticed. I think your users were ignoring the
errors, as you were too.

I hope this is clear.

Well, it's clear that your users routinely ignore certificate errors.
That in itself isn't a good thing.

Obviously I need to replace the SBScert issued to www.hardware-usa.com with
one issued to mail.harware-usa.com.

Yep.

After reading the article sent by John Oliver (thanks), I solved one
problem. As long as the only website is the default one created by SBS,
there is no option to remove or replace a cert (button grayed out). Once I
created a temp website, the certificates button was no longer grayed out.
It's late & I'm tired, so tomorrow I'll try to create a cert issued to
mail.hardware-usa.com, though my earlier attempt using certreq.exe came out
pretty strange.

For $20 you can get a cert from a public CA and not have to worry
about loading your CAs root certificate onto each of your machines,
PocketPCs, and SmartPhones (which can be a real chore, depending on
the OEM and whether they allow you to load certs onto their device).
The steps in the URL you mention uses IIS to create the CSR. All you
have to do is load the CSR into the edit box at the 3rd-party CA after
you pay for the cert.


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Quantcast