it appears that the auto renewal features works for all cerficates in my domain except the exchange 2007 cert; i have to manually generate the request, pass to cert server for approval, then import back into exchange 2007 in order to use SSL/TLS/OWA properly (Microsoft should fix this).
after typing the command certreq -submit c:\cert3_myserver.txt and choosing the appropriate CA I get the following error window:
The request contains no certificate information. 0x80094801 (-2146875391) Denied By Policy Module. The Reuqest does not contain a certificate template extension of the CertificateTemplate request attribute.
Did this last year and worked fine; have my notes from the case and can find find nothing related to this error. any help would be appreciated
Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
The solution is do not use a self generated certificate. They are not supported for Outlook Anywhere or Exchange ActiveSync. Deploy a commercial certificate.
why as a small business do i need to purchase a certificate? I have a two-tier PKI infrastructure with a enterprise subordinate CA issuing certificates. My root CA is on all desktop, laptop and mobile clients so there is no issue there. Your solution makes no sense. Does the coomercial certficate have magical powers that allows it to settle into place without manual install?
Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
quote:
ORIGINAL: hunglikethor
Does the coomercial certficate have magical powers that allows it to settle into place without manual install?
Yes, that is indeed the case. If you purchase a certificate from a trusted root then there is nothing to install on the devices. When you visit Amazon, do you have to install a certificate? Your bank, any other ecommerce site? No, because the certificate is issued by a trusted root. An internal CA is only practical when you have control over 100% of the clients that are accessing the services, and that usually means the machine is a member of the forest for ease of deployment (not always though). If you do not have that level of control, for example allowing users to access OWA from their own machines at home etc, then a commercial certificate is the only way to go.
With mobile devices the key is to get a certificate from the right source. Many of the low cost certificate suppliers are not on the root certificate list - RapidSSL for example provide cheap certificates, but they are useless for Windows Mobile as you have to install their root on to the device.
But still, if you have small business, you can still deploy all certs via GPO...
OWA is still accessible via self signed cert WITHOUT installing ANY cert on PC...
We use self signed cert for 10 people and it`s great that we can do... Via GPO, cert is applied on all devices within minutes... At home, they can use OWA, on their home PCs there is no need at all for Outlook anywhere feature... But they do have it on business notebooks (certs on notebooks are managed via GPO)...
So self signed cert is very usefull if you can control it...
Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
So you get the users used to ignoring the certificate warning? That is just bad practise. The warnings in IE7/8 about the certificate are just ignored.
Users are stupid. They will only remember that the IT person said to ignore the SSL certificate warning, not that it was only on their site. It exposes them to a man in the middle attack along with a load of other things.
What happens when the certificate expires?
As far as I am concerned, if machines that are not under your control (And that includes home user machines) are accessing OWA then a commercial certificate should be used.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> Renewing Exchange 2007 certificate 
Renewing Exchange 2007 certificate - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread
