none
Exchange Serer 2016 "invalid" Certificate - CA RRS feed

  • General discussion

  • I have installed New Exchange server 2016 and New installation of DC on windows server 2012 R2,

    These both sever had been reinstall and formatted many times due to Invalid Certificate,

    Followings are Virtual Directory changes,

    Auto Discover - https://online.mydomain.com (via Management Shell)
    ecp (Ext/Int) local - https://online.mydomain.intra/ecp
    EWS (Ext/Inte) - https://online.mydomain.com/ews/exchange.asmx
    mapi (Ext/Int) - https://online.mydomain.com/mapi
    Mic-Ser-ActSyn (Ext/Int)- https://online.mydomain.com/Microsoft-Server-ActiveSync
    OAB (Ext/Int) - https://online.mydomain.com/OAB
    owa (Ext/Int) local - https://online.mydomain.intra/owa
    Powershell (Ext/Int) Local - http://online.mydomain.intra/powershell

    Outlook Anywhere - online.mydomain.com

    And made changes on DNS

    Create New Forward Lookup Zone "mydomain.com" and create CNAME - online.mydomain.com and A - Autodiscover.mydomain.com

    in "mydomain.intra" static A - online.mydomain.intra and A - Autodiscover.mydomain.intra

    Installed the Role of Certificate Service - CA and CA web Enrollment on Domain Control's Server 

    Followed the procedures for "Create a request for a certificate from a certification authority" once completed Certnew.cer which I downloaded from my CA, it is showing "Invalid" Certificate

    **************************************************

    Did I do anything mistake on Virtual Directory, What will be the reason for invalid Certificate

     


    • Edited by a.rahuman Tuesday, January 29, 2019 7:22 AM
    Tuesday, January 29, 2019 7:19 AM

All replies

  • Hi a.rahuman

    Are you trying to create a self signed certificate within the Exchange server to use on the front-end where you access your web-mail, EAC, etc from the internet on a public address f.ex mail.mydomain.com ?

    If so you need to get a certificate from a authorized certificate provider, f.ex Digicert (https://www.digicert.com), they can create a Certificate for your Exchange server so your certificate is not invalid or untrusted.

    The first thing you need to do is to create a certificate request from the Exchange Server GUI (or powershell if you want that), be sure to have all your SAN on that request, f.ex if you want to use mail.domain.com, and webmail.domain.com or something, you need to include that in your Cert Request, Digicert has a tool that can simplify these request, but make sure to do it on the Exchange server as it will need the signature of the machine.

    Hope this helps, good luck :-)


    Attention: This posting is provided "AS IS" with no warranties, or guarantees, and confers no rights. Please remember to mark the replies as answers if they are informative and help.

    Tuesday, January 29, 2019 8:36 AM
  • Problem Solved.

    I have done nothing, after couple of hours certificate status as "Valid"

    Tuesday, January 29, 2019 10:34 AM
  • Hi.

    Good to hear that your problem is solved.

    But don't you get insecure or not valid certificate when you browse your Exchange server from the internet for example webmail ? mail.mydomain.com or something that you've set ?


    Attention: This posting is provided "AS IS" with no warranties, or guarantees, and confers no rights. Please remember to mark the replies as answers if they are informative and help.

    Tuesday, January 29, 2019 1:25 PM
  • Hi, It’s good that everything is working but what i concern with your setup is that self signed certificates are not supported from an internet location you might get into trouble while connecting to your exchange from an computer outside of your domain so I advise you to go further and try that on a computer or a mobile phone that is not connected to your domain network for example public WiFi or mobile network like 4G

    Attention: This posting is provided "AS IS" with no warranties, or guarantees, and confers no rights. Please remember to mark the replies as answers if they are informative and help.


    Tuesday, January 29, 2019 3:33 PM