Trusted Cert Woes on SBS 2008

Discussion in 'Windows Small Business Server' started by Bill Glidden, Sep 30, 2009.

  1. Bill Glidden

    Todd Wagner Guest

    I am about to lose my sanity over this. I have a UC cert from Go Daddy. I have the subject alternative name listed on the cert for the server name. I have run the certificate wizard to import the go daddy cert and it is trusted. I have run the connect to internet wizard and that is working. My RWW works just fine. I used the install package for connecting the computers to the domain and that went fine. I continue to get the name on the security certificate is invalid. Sites is listed on the nag screen and that resolves back to the server name, which is listed as the subject alternative name. I have been working with Exchange2007 for 3 years now and got through this issue with the SAN cert. I think this may be a Windows 2008 sbs issue. Please help.



    Ace Fekay [MCT] wrote:

    Re: Trusted Cert Woes on SBS 2008
    02-Oct-09

    That I did not know. Thanks!

    Ace

    Previous Posts In This Thread:

    Trusted Cert Woes on SBS 2008
    I decided to install a trusted cert from GoDaddy to make access to RWW,
    OWA and Outlook Anywhere more user-friendly. I used:
    http://smbtn.wordpress.com/2009/02/12/installing-a-godaddy-standard-ssl-certificate-on-sbs-2008/
    for my first few attempts (installing the intermediate bundle) and when
    I had issues with this, I eventually used:
    http://blogs.technet.com/sbs/archiv...a-trusted-certificate-wizard-in-sbs-2008.aspx
    I have had several goes at this (using re-keyed certs)always with the
    same results:

    1. The trusted certificate never appears for selection as the preferred
    certificate in the Certificate Wizard(only self-signed certs are
    displayed). In the SBS Console, Network/Connectivity/Web Server
    Certificate is showing the trusted cert from GoDaddy.

    2. When I launch Outlook 2007, I get two Security Alerts from the site
    remote.glidden.net.au. View Certificate shows the name of the trusted
    cert office.glidden.net.au. This happens on PCs that are not using
    Outlook Anywhere as well.

    Otherwise the trusted certificate is functioning: no certificate warning
    nags in RWW, OWA or Company Website.

    A clue to all this is that the name of the trusted cert is different to
    the self-signed one. Also, I run the fix my network wizard it tells me
    that the trusted certificate has expired and removes it if checked.
    I am new to and pretty clueless with certs: this is the first time i
    have tried to install a trusted cert.

    SBS BPA finds no issues.

    Can someone please help me to sort this? Driving me bananas.

    Re: Trusted Cert Woes on SBS 2008
    Hi Bill,

    I am assuming you use https://remote.blah.blah/remote or /owa to acces your
    SBS, but your cert is for office.blah.blah.

    If you use https://office.blah.blah/remote, your cert matches and you get no
    warning. I looked at your cert, and it looks fine.


    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    ps, you can change remote.blah.blah to office.blah.
    ps, you can change remote.blah.blah to office.blah.blah in the SBS wizard by
    selecting the 'advanced' button. 'remote' is the default prefix.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    Hi Les,

    No. I use either remote or office, and want to use office only, but i
    get the same result with either. I know there is no error when I use
    /owa or /remote. I am only seeing the Outlook security warning.

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    I missed that Advanced button... Will go there and do that. Thanks, Les.

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:

    Les, I did that and interestingly, it made one of the Security Alerts go
    away. Still got one. Will multiple office.glidden.net.au GoDaddy certs
    be a problem or is only one of these active?

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    Oh, and Les, I can now see and select the Trusted cert in the Wizard. I
    can also see the for GoDaddy certs that I installed during the saga. All
    have type=unknown. AND no more Outlook Security nags.

    Thanks for helping me sort this and pointing me in the general direction
    of SBS Console, Advanced Mode!

    Cheers,
    Bill

    Good stuff, Bill - glad you got it sorted.
    Good stuff, Bill - glad you got it sorted.

    Key is the name in the cert must match the url/site you are accessing. You
    can get a cert for multiple sites but in this instance you only need

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Les, with an Exchange UC/SAN certificate, you can add those names into one
    cert. The one certificate will allow multiple names added into the
    certificate in what is called a subjective alternate names list. Once you have
    purchased, or have your current certs modified or combined into one
    certificate by GoDaddy (Exchange can use a single cert with multiple names
    and they should be able to combine all of them into one for you and pro-rate
    the price), you can use the Exchange PowerShell Commands to add the services
    the cert will be used for.

    Read the following for more info. I also just added a step-by-step in the
    blog, today, to illustrate how to request and import the new cert, as well
    as how to enable the use of the cert for other services, such as IIS, SMTP,
    IMAP, POP, etc. Enabling it for IIS will work for what you want, as long as
    the names that you need, such as rww.domain.com, office.domain.com, or
    whatever else you need, is in the certificate subject alternate names list.
    The manual methods work with SBS 2008, too.

    Exchange 2007 UC/SAN Certificate
    http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
    Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.

    Re: Trusted Cert Woes on SBS 2008
    I meant to address my last post to Bill, not Les. Sorry....

    Good stuff, thanks Ace.
    Good stuff, thanks Ace.

    I am the guy that is never used a 3rd party cert, ever, with SBS ;-). Always
    used the self signed certs, and always able to make them do. Worst case is
    locked mobile devices, but that is worked around by converting the cert to a
    ...cab file.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    no worries, we're all in this together ;-)--
    no worries, we are all in this together ;-)

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Cool, yes we are! :)

    Thanks!

    Re: Trusted Cert Woes on SBS 2008
    For my own Ex2007, I never bought a public cert, but I have not any cases
    where I would need it. When connecting to OWA, I would just click on the
    trust this cert message. However, I just replaced my BB with an HTC Touch
    Pro 2 I picked up last night. Cool phone. Screen's a hair larger than the
    iPhone, brighter, too! However, it is Windows Mobile. Guess what? Cert issue
    time! So instead of dealing with the cert, I thought let me just get a
    single name cert (non UC/SAN) and see if it works. Since I set this domain
    up back in 1999 when AD first came out, the mindset and consensus was to use
    your public name, so I never changed that. it is only me and a few people
    that use the domain. So I figured, what the heck, a single name cert would
    work internally and externally for mail.mydomain.com, and I have the same
    record created internally. Well, the thing worked fine with the Windows
    mobile. It synched up fine. It also works fine for my OWA site, since you
    can enable that in Exchange to use the cert for other purposes other than
    just internally, such as for IIS, SMTP, IMAP and POP. However, I know I will
    have an issue with Outlook Anywhere due to the Autodiscover record, but I
    don;t use that anyway. If it comes down to it, and I need that function, I
    will dish out the extra $$ for a UC/SAN cert. And here I am using a single
    cert for limited capabilities, but I keep pushing to get a UC/SAN cert to my
    customers. I figured if they ever need the other functionality, I don;t want
    to deal with installing certs on their mobile units, or some of their remote
    employees that hardly come into the office and are using Outlook Anywhere.

    I guess you can call me the landscaper with the tallest lawn on the block!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    Ace Fekay [MCT] wrote:
    Thanks for all the good info, Ace. :)

    Bill

    Re: Trusted Cert Woes on SBS 2008
    You are welcome!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    Ace Fekay [MCT] wrote:
    Thanks for all the good info, Ace. :)

    Bill

    SBS 2k8 deploys the self signed cert onto WM6 automatically.
    SBS 2k8 deploys the self signed cert onto WM6 automatically. I have an HTC
    diamond touch, no issues at all.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    You are welcome!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    That I did not know. Thanks!

    Ace

    EggHeadCafe - Software Developer Portal of Choice
    Serialize/Deserialize .NET Classes to SQL Server
    http://www.eggheadcafe.com/tutorial...c90-1b7d49a5a354/serializedeserialize-ne.aspx
     
    Todd Wagner, Nov 9, 2009
    #21
    1. Advertisements

  2. in message
    Take a look at the video tutorials to see if you missed something at this
    link:

    Screencast: How to Install GoDaddy Multiple Domain (UCC) SSL Certificate in
    Exchange Server 2007
    http://www.netometer.com/video/tuto...c-ssl-certificate-exchange-2007-windows-2008/

    If that doesn't help you, re-read my blog on how to do it manually. I posted
    it earlier (bottom of this post), however, here it is for your convenience:

    Exchange 2007 UC/SAN Certificate
    http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx

    Ace

     
    Ace Fekay [MCT], Nov 9, 2009
    #22
    1. Advertisements

  3. Bill Glidden

    Todd Wagner Guest

    I went through the installing a godaddy cert and reconfigured outlook to make the cert primary with the 4 services and adjusted my urls within Exchange. When I launch outlook, it still comes up with the error with Sites listed security alert. i also created the split DNS as well. I don't know what to check now. This is getting old. Any further advice, or is a call into microsoft needed?



    Todd Wagner wrote:

    Cert Error
    08-Nov-09

    I am about to lose my sanity over this. I have a UC cert from Go Daddy. I have the subject alternative name listed on the cert for the server name. I have run the certificate wizard to import the go daddy cert and it is trusted. I have run the connect to internet wizard and that is working. My RWW works just fine. I used the install package for connecting the computers to the domain and that went fine. I continue to get the name on the security certificate is invalid. Sites is listed on the nag screen and that resolves back to the server name, which is listed as the subject alternative name. I have been working with Exchange2007 for 3 years now and got through this issue with the SAN cert. I think this may be a Windows 2008 sbs issue. Please help.

    Previous Posts In This Thread:

    EggHeadCafe - Software Developer Portal of Choice
    IDisposable, Destructors, Finalizers and Garbage
    http://www.eggheadcafe.com/tutorial...de8-6f44c0686f27/idisposable-destructors.aspx
     
    Todd Wagner, Nov 10, 2009
    #23
  4. Bill Glidden

    ian ohlander Guest

    I also recently migrated from SBS2003 to SBS2008 using a swing kit I purchased. For the most part, everything has worked beautifully. One change, though, was that previously, we had just used a self-signed certificate that I always had to manually install on our smart phones (moto-q's and htc touches). I went ahead and purchased a certificate from Verisign and installed it using the request/complete certificate wizard in IIS. Then ran the "configure certificates" wizard in the SBS console and successfully configured that certificate for remote.ogequip.com. The remote site, including /exchange all show a valid certificate. But our smartphones continue to show certificate errors. I have even manually installed the cert on them and it makes no diff.

    https://www.testexchangeconnectivity.com/ ran a test and gave the following errors:

    Testing SSL Certificate for validity.
    The SSL Certificate failed one or more certificate validation checks.

    Test Steps

    Validating certificate name
    Successfully validated the certificate name

    Additional Details
    Found hostname remote.ogequip.com in Certificate Subject Common name
    Validating certificate trust for Windows Mobile Devices
    Certificate trust validation failed
    Tell me more about this issue and how to resolve it

    Additional Details
    The certificate chain did not end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

    The link that error leads to indicates that it cannot follow the certificate chain to a trusted authority. But I am unable to figure out how to fix this. I have been reading numerous blogs and technical articles that give different suggestions (such as working in the exchange power shell) but there are quite a few and I don't want to break existing functionality doing them. OWA works. The site shows secure in explorer. It's only activesync that fails. Plus, if it were this complicated to configure, why wouldn't the import cert wizard not take care of all of this? If it was configuring for all the other remote sites, why not OMA functionality? Obviously, I am missing something.

    Does anyone have any suggestions?

    thanks.



    Todd Wagner wrote:

    Continue to get the cert error
    09-Nov-09

    I went through the installing a godaddy cert and reconfigured outlook to make the cert primary with the 4 services and adjusted my urls within Exchange. When I launch outlook, it still comes up with the error with Sites listed security alert. i also created the split DNS as well. I don't know what to check now. This is getting old. Any further advice, or is a call into microsoft needed?

    Previous Posts In This Thread:

    Trusted Cert Woes on SBS 2008
    I decided to install a trusted cert from GoDaddy to make access to RWW
    OWA and Outlook Anywhere more user-friendly. I used:
    http://smbtn.wordpress.com/2009/02/12/installing-a-godaddy-standard-ssl-certificate-on-sbs-2008/
    for my first few attempts (installing the intermediate bundle) and when
    I had issues with this, I eventually used:
    http://blogs.technet.com/sbs/archiv...a-trusted-certificate-wizard-in-sbs-2008.aspx
    I have had several goes at this (using re-keyed certs)always with the
    same results:

    1. The trusted certificate never appears for selection as the preferred
    certificate in the Certificate Wizard(only self-signed certs are
    displayed). In the SBS Console, Network/Connectivity/Web Server
    Certificate is showing the trusted cert from GoDaddy.

    2. When I launch Outlook 2007, I get two Security Alerts from the site
    remote.glidden.net.au. View Certificate shows the name of the trusted
    cert office.glidden.net.au. This happens on PCs that are not using
    Outlook Anywhere as well.

    Otherwise the trusted certificate is functioning: no certificate warning
    nags in RWW, OWA or Company Website.

    A clue to all this is that the name of the trusted cert is different to
    the self-signed one. Also, I run the fix my network wizard it tells me
    that the trusted certificate has expired and removes it if checked.
    I am new to and pretty clueless with certs: this is the first time i
    have tried to install a trusted cert.

    SBS BPA finds no issues.

    Can someone please help me to sort this? Driving me bananas.

    Re: Trusted Cert Woes on SBS 2008
    Hi Bill,

    I am assuming you use https://remote.blah.blah/remote or /owa to acces your
    SBS, but your cert is for office.blah.blah.

    If you use https://office.blah.blah/remote, your cert matches and you get no
    warning. I looked at your cert, and it looks fine.


    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    ps, you can change remote.blah.blah to office.blah.
    ps, you can change remote.blah.blah to office.blah.blah in the SBS wizard by
    selecting the 'advanced' button. 'remote' is the default prefix.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    Hi Les,

    No. I use either remote or office, and want to use office only, but i
    get the same result with either. I know there is no error when I use
    /owa or /remote. I am only seeing the Outlook security warning.

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    I missed that Advanced button... Will go there and do that. Thanks, Les.

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:

    Les, I did that and interestingly, it made one of the Security Alerts go
    away. Still got one. Will multiple office.glidden.net.au GoDaddy certs
    be a problem or is only one of these active?

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    Oh, and Les, I can now see and select the Trusted cert in the Wizard. I
    can also see the for GoDaddy certs that I installed during the saga. All
    have type=unknown. AND no more Outlook Security nags.

    Thanks for helping me sort this and pointing me in the general direction
    of SBS Console, Advanced Mode!

    Cheers,
    Bill

    Good stuff, Bill - glad you got it sorted.
    Good stuff, Bill - glad you got it sorted.

    Key is the name in the cert must match the url/site you are accessing. You
    can get a cert for multiple sites but in this instance you only need

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Les, with an Exchange UC/SAN certificate, you can add those names into one
    cert. The one certificate will allow multiple names added into the
    certificate in what is called a subjective alternate names list. Once you have
    purchased, or have your current certs modified or combined into one
    certificate by GoDaddy (Exchange can use a single cert with multiple names
    and they should be able to combine all of them into one for you and pro-rate
    the price), you can use the Exchange PowerShell Commands to add the services
    the cert will be used for.

    Read the following for more info. I also just added a step-by-step in the
    blog, today, to illustrate how to request and import the new cert, as well
    as how to enable the use of the cert for other services, such as IIS, SMTP,
    IMAP, POP, etc. Enabling it for IIS will work for what you want, as long as
    the names that you need, such as rww.domain.com, office.domain.com, or
    whatever else you need, is in the certificate subject alternate names list.
    The manual methods work with SBS 2008, too.

    Exchange 2007 UC/SAN Certificate
    http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
    Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.

    Re: Trusted Cert Woes on SBS 2008
    I meant to address my last post to Bill, not Les. Sorry....

    Good stuff, thanks Ace.
    Good stuff, thanks Ace.

    I am the guy that is never used a 3rd party cert, ever, with SBS ;-). Always
    used the self signed certs, and always able to make them do. Worst case is
    locked mobile devices, but that is worked around by converting the cert to a
    ..cab file.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    no worries, we're all in this together ;-)--
    no worries, we are all in this together ;-)

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Cool, yes we are! :)

    Thanks!

    Re: Trusted Cert Woes on SBS 2008
    For my own Ex2007, I never bought a public cert, but I have not any cases
    where I would need it. When connecting to OWA, I would just click on the
    trust this cert message. However, I just replaced my BB with an HTC Touch
    Pro 2 I picked up last night. Cool phone. Screen's a hair larger than the
    iPhone, brighter, too! However, it is Windows Mobile. Guess what? Cert issue
    time! So instead of dealing with the cert, I thought let me just get a
    single name cert (non UC/SAN) and see if it works. Since I set this domain
    up back in 1999 when AD first came out, the mindset and consensus was to use
    your public name, so I never changed that. it is only me and a few people
    that use the domain. So I figured, what the heck, a single name cert would
    work internally and externally for mail.mydomain.com, and I have the same
    record created internally. Well, the thing worked fine with the Windows
    mobile. It synched up fine. It also works fine for my OWA site, since you
    can enable that in Exchange to use the cert for other purposes other than
    just internally, such as for IIS, SMTP, IMAP and POP. However, I know I will
    have an issue with Outlook Anywhere due to the Autodiscover record, but I
    don;t use that anyway. If it comes down to it, and I need that function, I
    will dish out the extra $$ for a UC/SAN cert. And here I am using a single
    cert for limited capabilities, but I keep pushing to get a UC/SAN cert to my
    customers. I figured if they ever need the other functionality, I don;t want
    to deal with installing certs on their mobile units, or some of their remote
    employees that hardly come into the office and are using Outlook Anywhere.

    I guess you can call me the landscaper with the tallest lawn on the block!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    Ace Fekay [MCT] wrote:
    Thanks for all the good info, Ace. :)

    Bill

    Re: Trusted Cert Woes on SBS 2008
    You are welcome!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    Ace Fekay [MCT] wrote:
    Thanks for all the good info, Ace. :)

    Bill

    SBS 2k8 deploys the self signed cert onto WM6 automatically.
    SBS 2k8 deploys the self signed cert onto WM6 automatically. I have an HTC
    diamond touch, no issues at all.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    You are welcome!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    That I did not know. Thanks!

    Ace

    Cert Error
    I am about to lose my sanity over this. I have a UC cert from Go Daddy. I have the subject alternative name listed on the cert for the server name. I have run the certificate wizard to import the go daddy cert and it is trusted. I have run the connect to internet wizard and that is working. My RWW works just fine. I used the install package for connecting the computers to the domain and that went fine. I continue to get the name on the security certificate is invalid. Sites is listed on the nag screen and that resolves back to the server name, which is listed as the subject alternative name. I have been working with Exchange2007 for 3 years now and got through this issue with the SAN cert. I think this may be a Windows 2008 sbs issue. Please help.

    Continue to get the cert error
    I went through the installing a godaddy cert and reconfigured outlook to make the cert primary with the 4 services and adjusted my urls within Exchange. When I launch outlook, it still comes up with the error with Sites listed security alert. i also created the split DNS as well. I don't know what to check now. This is getting old. Any further advice, or is a call into microsoft needed?


    Submitted via EggHeadCafe - Software Developer Portal of Choice
    HTML Hyperlink Obfuscation with Client Script
    http://www.eggheadcafe.com/tutorial...3-371cf317efc5/html-hyperlink-obfuscatio.aspx
     
    ian ohlander, Jan 18, 2010
    #24
  5. Bill Glidden

    peter heggem Guest

    Les, I created an account here just to say thanks for this tip. I have always purchased certs for my clients with mail.blah.blah so that's what I did with this one using SBS 2008. But then I found that SBS08 uses remote.blah.blah for all of their sites. I was able to get a few things to use the mail cert but couldn't figure out how to change the Sharepoint URL. Too bad I had already spent 15 hours trying to figure this out before stumbling across your post.

    Anyone looking for the exact location of this setting:
    1. Open Windows SBS Console.
    2. Begin "Set up your Internet address" wizard.
    3. Click Next, "I already have a domain name that I want to use.", Next, "I want to manage the domain name myself.", Next.
    4. Enter your domain name then click "Advanced settings".
    5. Change your domain prefix to match your cert.

    This will change the SBS websites to use a self-signed cert so you have to run the "Add a trusted certificate" wizard again to use your 3rd party cert for these sites.



    Les Connor [SBS MVP] wrote:

    ps, you can change remote.blah.blah to office.blah.
    29-Sep-09

    ps, you can change remote.blah.blah to office.blah.blah in the SBS wizard b
    selecting the 'advanced' button. 'remote' is the default prefix

    -
    ----------------------------------------------
    Les Connor [SBS MVP]

    Previous Posts In This Thread:

    Trusted Cert Woes on SBS 2008
    I decided to install a trusted cert from GoDaddy to make access to RWW
    OWA and Outlook Anywhere more user-friendly. I used
    http://smbtn.wordpress.com/2009/02/12/installing-a-godaddy-standard-ssl-certificate-on-sbs-2008
    for my first few attempts (installing the intermediate bundle) and whe
    I had issues with this, I eventually used
    http://blogs.technet.com/sbs/archiv...-a-trusted-certificate-wizard-in-sbs-2008.asp
    I have had several goes at this (using re-keyed certs)always with th
    same results

    1. The trusted certificate never appears for selection as the preferre
    certificate in the Certificate Wizard(only self-signed certs ar
    displayed). In the SBS Console, Network/Connectivity/Web Serve
    Certificate is showing the trusted cert from GoDaddy

    2. When I launch Outlook 2007, I get two Security Alerts from the sit
    remote.glidden.net.au. View Certificate shows the name of the truste
    cert office.glidden.net.au. This happens on PCs that are not usin
    Outlook Anywhere as well

    Otherwise the trusted certificate is functioning: no certificate warnin
    nags in RWW, OWA or Company Website

    A clue to all this is that the name of the trusted cert is different t
    the self-signed one. Also, I run the fix my network wizard it tells m
    that the trusted certificate has expired and removes it if checked
    I am new to and pretty clueless with certs: this is the first time
    have tried to install a trusted cert

    SBS BPA finds no issues

    Can someone please help me to sort this? Driving me bananas.

    Re: Trusted Cert Woes on SBS 2008
    Hi Bill

    I am assuming you use https://remote.blah.blah/remote or /owa to acces you
    SBS, but your cert is for office.blah.blah

    If you use https://office.blah.blah/remote, your cert matches and you get n
    warning. I looked at your cert, and it looks fine

    -
    ----------------------------------------------
    Les Connor [SBS MVP]

    ps, you can change remote.blah.blah to office.blah.
    ps, you can change remote.blah.blah to office.blah.blah in the SBS wizard b
    selecting the 'advanced' button. 'remote' is the default prefix

    -
    ----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote
    Hi Les

    No. I use either remote or office, and want to use office only, but
    get the same result with either. I know there is no error when I us
    /owa or /remote. I am only seeing the Outlook security warning.

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    I missed that Advanced button... Will go there and do that. Thanks, Les.

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:

    Les, I did that and interestingly, it made one of the Security Alerts go
    away. Still got one. Will multiple office.glidden.net.au GoDaddy certs
    be a problem or is only one of these active?

    Re: Trusted Cert Woes on SBS 2008
    Les Connor [SBS MVP] wrote:
    Oh, and Les, I can now see and select the Trusted cert in the Wizard. I
    can also see the for GoDaddy certs that I installed during the saga. All
    have type=unknown. AND no more Outlook Security nags.

    Thanks for helping me sort this and pointing me in the general direction
    of SBS Console, Advanced Mode!

    Cheers,
    Bill

    Good stuff, Bill - glad you got it sorted.
    Good stuff, Bill - glad you got it sorted.

    Key is the name in the cert must match the url/site you are accessing. You
    can get a cert for multiple sites but in this instance you only need

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Les, with an Exchange UC/SAN certificate, you can add those names into one
    cert. The one certificate will allow multiple names added into the
    certificate in what is called a subjective alternate names list. Once you have
    purchased, or have your current certs modified or combined into one
    certificate by GoDaddy (Exchange can use a single cert with multiple names
    and they should be able to combine all of them into one for you and pro-rate
    the price), you can use the Exchange PowerShell Commands to add the services
    the cert will be used for.

    Read the following for more info. I also just added a step-by-step in the
    blog, today, to illustrate how to request and import the new cert, as well
    as how to enable the use of the cert for other services, such as IIS, SMTP,
    IMAP, POP, etc. Enabling it for IIS will work for what you want, as long as
    the names that you need, such as rww.domain.com, office.domain.com, or
    whatever else you need, is in the certificate subject alternate names list.
    The manual methods work with SBS 2008, too.

    Exchange 2007 UC/SAN Certificate
    http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
    Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.

    Re: Trusted Cert Woes on SBS 2008
    I meant to address my last post to Bill, not Les. Sorry....

    Good stuff, thanks Ace.
    Good stuff, thanks Ace.

    I am the guy that is never used a 3rd party cert, ever, with SBS ;-). Always
    used the self signed certs, and always able to make them do. Worst case is
    locked mobile devices, but that is worked around by converting the cert to a
    ..cab file.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    no worries, we're all in this together ;-)--
    no worries, we are all in this together ;-)

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    Cool, yes we are! :)

    Thanks!

    Re: Trusted Cert Woes on SBS 2008
    For my own Ex2007, I never bought a public cert, but I have not any cases
    where I would need it. When connecting to OWA, I would just click on the
    trust this cert message. However, I just replaced my BB with an HTC Touch
    Pro 2 I picked up last night. Cool phone. Screen's a hair larger than the
    iPhone, brighter, too! However, it is Windows Mobile. Guess what? Cert issue
    time! So instead of dealing with the cert, I thought let me just get a
    single name cert (non UC/SAN) and see if it works. Since I set this domain
    up back in 1999 when AD first came out, the mindset and consensus was to use
    your public name, so I never changed that. it is only me and a few people
    that use the domain. So I figured, what the heck, a single name cert would
    work internally and externally for mail.mydomain.com, and I have the same
    record created internally. Well, the thing worked fine with the Windows
    mobile. It synched up fine. It also works fine for my OWA site, since you
    can enable that in Exchange to use the cert for other purposes other than
    just internally, such as for IIS, SMTP, IMAP and POP. However, I know I will
    have an issue with Outlook Anywhere due to the Autodiscover record, but I
    don;t use that anyway. If it comes down to it, and I need that function, I
    will dish out the extra $$ for a UC/SAN cert. And here I am using a single
    cert for limited capabilities, but I keep pushing to get a UC/SAN cert to my
    customers. I figured if they ever need the other functionality, I don;t want
    to deal with installing certs on their mobile units, or some of their remote
    employees that hardly come into the office and are using Outlook Anywhere.

    I guess you can call me the landscaper with the tallest lawn on the block!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    Ace Fekay [MCT] wrote:
    Thanks for all the good info, Ace. :)

    Bill

    Re: Trusted Cert Woes on SBS 2008
    You are welcome!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    Ace Fekay [MCT] wrote:
    Thanks for all the good info, Ace. :)

    Bill

    SBS 2k8 deploys the self signed cert onto WM6 automatically.
    SBS 2k8 deploys the self signed cert onto WM6 automatically. I have an HTC
    diamond touch, no issues at all.

    --
    -----------------------------------------------
    Les Connor [SBS MVP]

    Re: Trusted Cert Woes on SBS 2008
    You are welcome!

    Ace

    Re: Trusted Cert Woes on SBS 2008
    That I did not know. Thanks!

    Ace

    Cert Error
    I am about to lose my sanity over this. I have a UC cert from Go Daddy. I have the subject alternative name listed on the cert for the server name. I have run the certificate wizard to import the go daddy cert and it is trusted. I have run the connect to internet wizard and that is working. My RWW works just fine. I used the install package for connecting the computers to the domain and that went fine. I continue to get the name on the security certificate is invalid. Sites is listed on the nag screen and that resolves back to the server name, which is listed as the subject alternative name. I have been working with Exchange2007 for 3 years now and got through this issue with the SAN cert. I think this may be a Windows 2008 sbs issue. Please help.

    Continue to get the cert error
    I went through the installing a godaddy cert and reconfigured outlook to make the cert primary with the 4 services and adjusted my urls within Exchange. When I launch outlook, it still comes up with the error with Sites listed security alert. i also created the split DNS as well. I don't know what to check now. This is getting old. Any further advice, or is a call into microsoft needed?

    Certificate trust validation failed
    I also recently migrated from SBS2003 to SBS2008 using a swing kit I purchased. For the most part, everything has worked beautifully. One change, though, was that previously, we had just used a self-signed certificate that I always had to manually install on our smart phones (moto-q's and htc touches). I went ahead and purchased a certificate from Verisign and installed it using the request/complete certificate wizard in IIS. Then ran the "configure certificates" wizard in the SBS console and successfully configured that certificate for remote.ogequip.com. The remote site, including /exchange all show a valid certificate. But our smartphones continue to show certificate errors. I have even manually installed the cert on them and it makes no diff.

    https://www.testexchangeconnectivity.com/ ran a test and gave the following errors:

    Testing SSL Certificate for validity.
    The SSL Certificate failed one or more certificate validation checks.

    Test Steps

    Validating certificate name
    Successfully validated the certificate name

    Additional Details
    Found hostname remote.ogequip.com in Certificate Subject Common name
    Validating certificate trust for Windows Mobile Devices
    Certificate trust validation failed
    Tell me more about this issue and how to resolve it

    Additional Details
    The certificate chain did not end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

    The link that error leads to indicates that it cannot follow the certificate chain to a trusted authority. But I am unable to figure out how to fix this. I have been reading numerous blogs and technical articles that give different suggestions (such as working in the exchange power shell) but there are quite a few and I don't want to break existing functionality doing them. OWA works. The site shows secure in explorer. It's only activesync that fails. Plus, if it were this complicated to configure, why wouldn't the import cert wizard not take care of all of this? If it was configuring for all the other remote sites, why not OMA functionality? Obviously, I am missing something.

    Does anyone have any suggestions?

    thanks.


    Submitted via EggHeadCafe - Software Developer Portal of Choice
    BizTalk: Incorporating conditional If / Else Functoid Logic in a map.
    http://www.eggheadcafe.com/tutorial...0b-bba39e4bbcf0/biztalk-incorporating-co.aspx
     
    peter heggem, Apr 19, 2010
    #25
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.