Exchange Server Forums

Using certificate with Exchange 2007

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2007] >> General >> Using certificate with Exchange 2007

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

Using certificate with Exchange 2007 - 5.Jun.2008 11:39:39 AM

Monham

Posts: 5
Joined: 5.Jun.2008
Status: offline

Hello
need you help please to understand this issue
i installed a selfsigned Windows certificate root to be used for connection of intern client. this certificate will be expired in few days, i got the warning ID 12018 in the app log

After that we installed a private certificate (not selfsigned to be used for external clients) and we renewed the old certificate with Nex-Exchangecertificate command (we duplicated the certificate).

Now, when i opened Outlook 2000 (MAPI) i got the warning below:
"The server on which you are connected contain a certificate that can not be verified
The certificate string was analysed but the root certificate is not approved"

below the result of Get-ExchangeCertificate command:
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                    ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {HV0101, HV0101.fsb.priv}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=HV0101
NotAfter           : 04/06/2009 14:16:15
NotBefore          : 04/06/2008 14:16:15
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 8373540B5A305D8B498C3AEB1EE3201C
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=HV0101
Thumbprint         : C33B068ED7B4ACF840AA65E6CF00E6F937D58A68
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                    .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {hv0101.fsb.priv}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Commune_Fontenay, DC=fsb, DC=priv
NotAfter           : 13/01/2010 15:28:30
NotBefore          : 14/01/2008 15:28:30
PublicKeySize      : 1024
RootCAType         : Enterprise
SerialNumber       : 1C87EB6400000000000F
Services           : IIS
Status             : Valid
Subject            : CN=hv0101.fsb.priv, OU=DSI, O=Commune de Fontenay sous Boi
                    s, L=Fontenay sous Bois, S=94125, C=FR
Thumbprint         : F530E67AB5C268DF2BCEFC830C8D89601FDF5FD3
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                    .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.fontenay-sous-bois.fr}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Commune_Fontenay, DC=fsb, DC=priv
NotAfter           : 13/01/2010 15:01:30
NotBefore          : 14/01/2008 15:01:30
PublicKeySize      : 1024
RootCAType         : Enterprise
SerialNumber       : 1C6F31CD00000000000E
Services           : None
Status             : Valid
Subject            : CN=webmail.fontenay-sous-bois.fr, OU=DSI, O=Commune de Fon
                    tenay sous Bois, L=Fontenay sous Bois, S=94125, C=FR
Thumbprint         : D1DB9726F7CCE18F0132624C25E0E7E8E967BF38
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                    ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {HV0101, HV0101.fsb.priv}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=HV0101
NotAfter           : 19/06/2008 17:47:09
NotBefore          : 19/06/2007 17:47:09
PublicKeySize      : 2048
RootCAType         : GroupPolicy
SerialNumber       : F4B02D0339D678B94DB322D5270922D1
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=HV0101
Thumbprint         : B2CD27E95C47BAEF990C9A192A071BBB34757C34

Post #: 1

Featured Links*

RE: Using certificate with Exchange 2007 - 5.Jun.2008 5:50:56 PM

Sembee

Posts: 3960
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline

The self generated certificates are only really designed to get you started. You should be looking to switch to a commercial SSL certificate. That will also avoid acceptance issues.

It looks like the certificate isn't trusted or isn't enabled for all services.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/

(in reply to Monham)

Post #: 2

RE: Using certificate with Exchange 2007 - 6.Jun.2008 3:28:32 AM

Monham

Posts: 5
Joined: 5.Jun.2008
Status: offline

It looks like the certificate isn't trusted or isn't enabled for all services...
effectively, the commercial certificat will be used next, we are testing the selfsigned cert Now and we installed the commercial......
as you said the commercial certificate seem to be not trusted and i want to now:

1- why Outlook client did not use the selfsigned one (before renewing the selfsigned, it work fine even if the commercial is installed)?

2- How can i trust the commercial cert?

(in reply to Sembee)

Post #: 3

RE: Using certificate with Exchange 2007 - 6.Jun.2008 4:51:54 AM

Monham

Posts: 5
Joined: 5.Jun.2008
Status: offline

News for this case:

The pop-up appear only when using Outlook 2000, if we use Outlook 2007 iut will not appear.
here is the pop-up:
""The server you are connected to is using a security certificate that could not be verified. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Do you want to continue using this server?". "

many thanks for all

< Message edited by Monham -- 6.Jun.2008 5:39:05 AM >

(in reply to Monham)

Post #: 4

RE: Using certificate with Exchange 2007 - 6.Jun.2008 12:22:29 PM

Sembee

Posts: 3960
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline

Outlook 2000 is not a supported client of Exchange 2007 - you are aware of that?

The whole point of commercial certificates is that you don't have to install anything for them to be trusted. If you are getting trust issues then you need to look at what is the cause.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/

(in reply to Monham)

Post #: 5

RE: Using certificate with Exchange 2007 - 9.Jun.2008 4:26:50 AM

Monham

Posts: 5
Joined: 5.Jun.2008
Status: offline

Hello
thanks for your reply

i'm aware about that, but it will work fine, i just renewed the certificate and this pop-up appeared.
Now, i want to know why this pop-up appeared? and how can i remove it?

(in reply to Sembee)

Post #: 6

RE: Using certificate with Exchange 2007 - 9.Jun.2008 8:02:19 AM

Sembee

Posts: 3960
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline

You are using a non-supported client. I don't know where the certificate prompt is coming from, as far as I am aware there is nothing in Outlook 2000 that uses SSL. It could be a third party tool that is causing it.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/

(in reply to Monham)

Post #: 7