Comments on: Assign an SSL Certificate to Exchange Server 2016 Services

By: Bobmin

Bobmin — Wed, 06 Oct 2021 22:15:06 +0000

In reply to Ashan. Then you're stuck with the old certificate until you tell it yes.

By: Ashan

Ashan — Mon, 15 Jun 2020 07:00:03 +0000

What happens if you select No on the Warning to overwrite?

By: Akwasi Agyarko-Bediako

Akwasi Agyarko-Bediako — Tue, 26 Mar 2019 13:51:09 +0000

Hello Paul,

Thanks for that, but then i am currently facing a situation where owa users are been logged out intermittently even when they are not idle. I am suspecting this happened after i applied ssl to the services.

Any feedback or support on this will be appreciated.

Thank you

By: Brandt Smith

Brandt Smith — Thu, 07 Feb 2019 19:31:15 +0000

I am replacing a 10SAN cert with a 20SAN cert…I have assigned the services OK…should I delete the old cert (it will expire in a few months anyway)?

By:

Paul Cunningham

The Real Person!

Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Paul Cunningham — Wed, 22 Nov 2017 20:31:30 +0000

In reply to Jeremy. What is the namespace that they're trying to connect to when the mismatch error appears?

By: Jeremy

Jeremy — Wed, 22 Nov 2017 12:07:46 +0000

Paul,

I have followed this to the “T” and I still get reports of cert name mismatch from end users. We are using a wildcard certificate. Could this be the issue? All the internal Uri are pointing to “https://mail.ourdomain.com” nothing points to the server name itself. We still have both Exchange 2010 and Exchange 2016.

Any thoughts would be appreciated.

Thanks!

By:

Paul Cunningham

The Real Person!

Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Paul Cunningham — Wed, 15 Nov 2017 20:20:59 +0000

In reply to Josh Gardner. I'm not familiar with how to fully replace and remove the self-signed certs that are used for backend and internal stuff. I'm not surprised that removing them causes stuff to break. I suggest you open a support case with Microsoft for guidance on that.

By: Josh Gardner

Josh Gardner — Wed, 15 Nov 2017 16:07:02 +0000

In reply to Josh Gardner.

This made me think, that I should just keep the common cert for client/front end stuff, and submit requests that are identical in common name as the default created certs (specifically Microsoft Exchange Server Auth Certificate, and the WMSVC-SHA2) and replace each of those, respectively, instead of using the common cert. But in order to finalize a cert request it is mandatory that the domain field be selected, and since the errors/warnings were looking for the fqdn of the server I just used those for the request.

No wildcard certs are in place

I hope my explanation isn’t too ridiculously confusing. Thanks!

Final 3/3

By: Josh Gardner

Josh Gardner — Wed, 15 Nov 2017 16:06:40 +0000

We have imported the common cert and made that default for IIS, and SMTP services. In our lab I also assigned this common cert to the IIS management (which means the WMSVC-SHA2 default cert has been replaced by the common cert), and I also set the AuthConfig to use the common cert to replace the default Microsoft Exchange Server Auth cert. At this point all services and what not should theoretically be using the shared cert mail.domain.org. Which means I can remove the default ones and no longer be in violation of the security finding. But when I did remove them (in the lab) I kept getting errors/warnings about receive connectors not being able to find a cert (subject was the fqdn of the server) with a particular thumbprint. The receive connectors (and maybe send connectors as well, I don’t remember off the top of my head) were hidden and not configurable. I assume that these are created specifically for server to server communications, and are not your standard get-receiveconnector results.

part 2

By: Josh Gardner

Josh Gardner — Wed, 15 Nov 2017 16:06:20 +0000

We have a common SAN cert that is used for for client access and autodiscover (for instance mail.domain.org) . The certs that have the server name in are meant to be used for the backend communications.

In depth scenario:
We have regulations that say that any cert that is not issued by a particular CA issuer is considered a security finding. As such the 3 default certs that get created upon installation of Exchange 2016 (Microsoft Exchange, Microsoft Exchange Server Auth Certificate, and the WMSVC-SHA2) are in violation of this.

part 1 of response sorry for length

Comments on: Assign an SSL Certificate to Exchange Server 2016 Services

By: Bobmin

By: Ashan

By: Akwasi Agyarko-Bediako

By: Brandt Smith

By: Paul Cunningham The Real Person! Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By: Jeremy

By: Paul Cunningham The Real Person! Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By: Josh Gardner

By: Josh Gardner

By: Josh Gardner

By:

Paul Cunningham

The Real Person!

Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By:

Paul Cunningham

The Real Person!

Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.