New SSL certificate for Exchange, iPhones won't accept without delete/recreate of account on phone.

Similar Messages

• Use ssl certificate for Exchange Account

  Hello everyone!
  I have some problem with Exchange instance and iphones.
  I have Front server with client authentication via ssl certificates. How i can use this certificate on iphone to connect iphone to exchanges account?
  After few hours of googling i find only one solution here - http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-clien t-access/configuring-certificate-based-authentication-exchange-2010-activesync-p art2.html
  In few words - it can be done with iPhone Configuration Utility
  Does this ONLY solution or i can import ssl cert directly to iphone?
  Thanks a lot for any help

  Hi bb9193, this will not be no short-term solution, but you might consider using a MDM-solution. With MDM it is possible to deinstall and reinstall the Exchange profile over the air, so your users will not need to do more than just reenter their Exchange password.
  Best regards,
  Detlev

• Installing a new SSL Certificate to Exchange

  Hi,
  We have a Windows Server 2008 R2 machine running Exchange 2010 (sorry, there wasn't an option for a 2010 forum). As a company which handles payments, we need to be PCI DSS registered and the scan has picked up a failing point being we don't have
  an SSL Certificate installed. I have purchased one via GoDaddy and followed the instructions on their site to install it, however the PCI DSS scan is still failing because of the following reason:-
  "The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority."
  The certificate at the top of the chain is the 'built-in' default certificate. How do I promote the installed GoDaddy certificate to the top of the chain?
  Thanks

  Hi,
  Please refer to this similar thread.
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/e80a77f8-4f88-439e-85dd-76463c7a69d3/certification-authority?forum=winserversecurity
  And try to Save your root CA(s) public certificate in PEM format into a text file to PCI DSS scanner.
  Hope this will be helpful for you.

• Upgrade SSL Certificate for Exchange Server

  Hi Folks,
  I need to upgrade the SSL certificate on my Exchange Server, so he can negotiate encryption and authorization to an upstream SMTP Smart Host.  This means that the certificate I need is not necessarily a server certificate, because in this scenario Exchange
  Server is acting as a client to the upstream SMTP Smart Host.  I have openssl at my disposal, so making the certificate in not a problem but installing it in the correct location and testing that I've done what I think I've done is.
  Thanks for the help,
  Chris.
  Thanks for the help,
  Chris.

  Hi,
  Please just make sure the primary certificate in your Exchange server with
  SMTP service is valid, trusted by your SMTP smart host.
  Thanks,
  Winnie Liang
  TechNet Community Support

• New SSL certificate for M670 process?

  Can someone help me with the current process for installing a new certificate on an M670 running 8.1.0-476?  Do I still use OPENSSL to generate the private key, and then get the certificate signed and import the certificate via CLI, pem format?
  Can I install a SAN certificate?  I have one DNS name spam.domain.com for the two (internal and external) SPAM quarantine interfaces and another name mspam.domain.com for the management interface.
  Appreciate the input, I only do this every three years and the process has changed the last two times and I find nothing in the documentation. 
  Jason

  Jason -
  You can use a SAN certificate - as long as the machine names are specified and signed off in the cert by your signer.
  Had previous saved notes for similar questions in the past --- see if this helps:
  For full create and install:
  http://tools.cisco.com/squish/39054
  Starting with AsyncOS version 7.1 it is possible to generate a self-signing request on the ESA appliance. This can be used as a workaround to create certificates for SMAs.
  On an ESA, create a self-signed certificate that will be used for the SMA. This can be done under GUI: Network > Certificates
  Detailed description how to generate a certificate can be found within the knowledge base article 1634.
  It is important, when creating a certificate, for common name to use the hostname of the SMA (M-Series) and not of the ESA (C-Series), so that the certificate can be properly used. Submit and commit changes.
  Use GUI: Network > Certificates > Export Certificates to export certificate.
  Give it a file name (e.g. mycert) and password that will be used when converting the certificate. Exported certificate will be in .pfx format. The M-Series only supports .pem format for importing, so this certificate needs to be converted.
  To convert certificate from .pfx format to .pem format, please use the following OpenSSL syntax:
  openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
  Windows version of OpenSSL can be downloaded from:http://www.slproweb.com/products/Win32OpenSSL.html  Make sure Visual C++ 2008 Redistributable is installed first before the OpenSSL Win32.
  Versions for Mac, Linux, and other operation systems can be downloaded from http://www.openssl.org/source/
  After converting the certificate to the correct format, one should now have available both - the certificate and the corresponding key in .pem format. It is recommended to sign it by a trusted Certification Authority (CA). Cisco doesn't recommend a specific CA, this is up to the choice of the customer.
  To have this signed, simply select "Download certificate signing request" in the GUI of the ESA (Network > Certificates >select the corresponding certificate created for the SMA) and submit it to the trusted CA of choice.
  The signed certificate or the self-signed certificate, and the key in .pem format, can be imported now in the SMA. To learn how to do it, please use the corresponding Installing Certificates on an IronPort Email Security Appliance.
  Let me know!
  -Robert

• Using an SSL certificate for Exchange 2013

  Hi,
  I am not sure if this is the correct forum to post this question in.
  Basically we are migrating from Exchange 2007 to Exchange 2013. Our 2013 machines have both roles installed and do everything. They are configured in a DAG. We have no hardware load balancing/reverse proxy or etc. inside or outside.
  We use an alias of mail.domain.com to connect to OWA/ActiveSync and etc from the Internet.. this alias would point to mail1.domain.com which is the IP of the first Exchange 2013 server.
  If that server were to break, we would point the alias of mail.domain.com to mail2.domain.com which is the IP of the second Exchange 2013 server. Clients would not need any changes before they started connecting to the remaining mail server (eventually)
  and email would continue.
  I know this is not an ideal setup, but for now it is what we have and would keep us running in the event of server failure.
  My question is, when I request a certificate, do I need two of them with mail1.domain.com and mail2.domain.com as their primary and SAN of mail.domain.com OR do I request one certificate with mail.domain.com as the primary host and SAN of mail1.domain.com
  and mail2.domain.com (and install the one certificate on both servers).
  I want to include mail1.domain.com and mail2.domain.com as this can be helpful for testing and/or during migration.
  I hope that makes some sense and appreciate any help people can offer.
  Thanks!

  You do not need server names in the certificate if you are using mail.domain.com only in all of the URL settings.  You will want autodiscover.domain.com, however.
  Consider configuring a different internal and external name for Outlook Anywhere so that Outlook knows whether it is connecting from the Internet or internally.  For internal Outlook Anywhere, use a name that you don't publish to the Internet. 
  For example, use mail.domain.com for everything except internal Outlook Anywhere, use mailinternal.domain.com.  Put mail.domain.com, mailinternal.domain.com and autodiscover.domain.com in the certificate.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Is it possible to use single ssl certificate for multiple server farm with different FQDN?

  Hi
  We generated the CSR request for versign secure site pro certificate
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
  And the same message when trying to access https://www.abc.com from Google Chrome.
  "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
  so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
  Now my question is
  1. Is is possible to  remove above errors doing some ssl configuration on ACE?
  2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
  Thanks
  Waliullah

  If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
  Hope this helps,
  Sean

• How can I create a new ring tone for my iPhone 4?

  How can I create a new ring tone for my iPhone 4? I followed the Garage Band process and ended up with the ring tone I want as a AAC audio file. It got stored in my iTunes a a song rather than a ring tone. How do I make it a ring tone vs. a song? I tried dragging it t the Ring Tone category at the bottom of the ITunes list, but it won't alloow me to move it?

  There's also an easy to use Applescript over at Doug's Applescripts for iTunes. It automates the whole thing. All you do is set the start and stop time on a file in iTuens and run the script. It will do everything else.
  Make Ringable v1.1
  http://dougscripts.com/475

• Problem installing SSL certificate for CPS

  I work at a medium-sized University, and we have used
  Contribute 3 with CPS1.11 for well over a year. Recently, however,
  the Contribute clients began having difficulty logging in to CPS.
  At first this was intermittent, but is now constant. Adobe support
  suggested replacing the CPS self-signed SSL certificate with a
  genuine one, because apparently the self-signed certificate is
  causing communication delays and timeouts.
  I have the certificate, and am trying to use keytool (see
  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html)
  to install it, but it is asking me for a keystore password, which I
  don't know. Apparently the standard defaults are "changeit" or
  "passphrase", but neither of these work.
  As a test, I created a fresh install of CPS and attempted to
  list the keys in the keystore, but again was asked for a keystore
  password and the defaults did not work. Adobe support suggested I
  ask here. Anybody have any experience installing a certificate for
  CPS?

  Are you sure that the certificate needs to be installed to all users? Can you provide more details about the certificate and its purposes?
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support

• Wildcard certificate for Exchange 2010

  Hi
  I have single exchange 2010 installed. I have installed single domain name on exchange certificate , it expire next month March 2014. I have a plan to buy new Wildcard certificate for the exchange. I access OWA by  ns1.xyz.com/owa  without any
  problem but in my local network my outlook giving certificate error because of single domain name on certificate.
  My question is what name should be on wildcard CSR? Just put the    " *.xyz.com  " or somting else ? That will work in my local area as well OWA and Outlook anywhere ?

  Hi,
  According to your description, your internal URLs have the different host name with the external ones.
  If you don’t want to change the URLs, we need add the following host names in the certificate:
  All the host names in the external and internal URLs including autodiscoverserviceinternalurl;
  Autodiscover.smtpaddresssuffix
  In this case, SAN certificate is more suitable for your environment than wildcard certificate.
  If I misunderstand your meaning, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Installing an SSL certificate for a CSS 11503

  I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
  I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!

  Allen,
  The portion of the configuration guide related to SSL certificates and keys can be found here:
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
  To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
  ~Zach

• My dad bought a new USB charger for his iPhone 3GS after connecting it it kept restarting I got it to recovery mode but wen restoring I get a msg error (01)

  So my dad bought a new USB cable for his iPhone 3GS wen he connected the iPhone to charge he said it turned off n turned on after but then it kept on restarting every 1min.. But it goes to main screen then it restarts over n over I manage to get it into recovery mode n I connected to itune were it asks me to upgrade n restore wen I click ok it starts normal to download n get up to restoring iPhone wen it's about to finish a msg pops up on iTunes saying  "iTunes could not restored because an error was detected on iPhone (error 01) .
  I tried a whole bunch of times trying to restore but I won't get through at all
  Any other ideas would be glad to know I also tried getting out of dfu mode but it just won't .

  Is your software up to date? You also should be able to leave DFU mode easier then you get in it. DFU mode means nothing is on your iPhone's screen when restoring.

• I created a new apple id for my iphone and ipad which work great and allow me to access Icloud. on my macbook air can't get it to use my new apple id for icloud. Help?

  I created a new apple id for my iphone and ipad which work great and allow me to access Icloud. on my macbook air  I can't get it to use my new apple id for icloud. It keeps going back to my old apple id and doesn't afford me to alter it. I use system preferences-icloud and it just wants to verify the old apple id but doesn't afford me the opportunity to delete teh account or edit it like the iphone5 and ipad. Help?

  Welcome to the Apple Community.
  You need to use the sign out option on the left side.

• I got a new computer and haven't used iTunes in years. I have an iPod and want to put my music from it onto iTunes on the new computer. I don't remember my old iTunes account info but i have a new apple ID for my iphone and ipad.

  I got a new computer and haven't used iTunes in years. I have an iPod and want to put my music from it onto iTunes on the new computer. I don't remember my old iTunes account info but i have a new apple ID for my iphone and ipad. Is there a way to transfer songs from my iPod (old iPod video) onto the new iTunes on my new computer and use my new apple ID to sign into iTunes?

  I got a new computer and haven't used iTunes in years. I have an iPod and want to put my music from it onto iTunes on the new computer. I don't remember my old iTunes account info but i have a new apple ID for my iphone and ipad. Is there a way to transfer songs from my iPod (old iPod video) onto the new iTunes on my new computer and use my new apple ID to sign into iTunes?