Rolling out SSL cert on CAS array

Hi there,
I have an exchange 2010 CAS array with 2 servers in it. I need to roll out an updated SSL certificate as the old one has expired
however, it only seems to allow me to install this certificate on the CAS1 server.
When I did was I (using the GUI) created a new Exchange certificate. Put in the FQDN of both my CAS servers when I created
it (although only 4 SAN names appear on the cert on Godaddys website, that being imap, pop, mail and autodiscover). Got my SSL cert from the 3rd party. Completed the certificate and it seems to be ok one my CAS1 server. But then there is no SSL cert on the
CAS2 server. I just wondered how I would go about installing it on that server, or even if it is necessary to have it on there.
I tried exporting/importing it from CAS1 to CAS2 but on CAS2 it just shows it as "The certificate is invalid for Exchange
Server usage".
Any help is appreciated

First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

Similar Messages

GoDaddy SSL Cert Signed by Unknown Authority

At my school we have one Apple server which we recently upgraded to 10.5. We're using it to run a blog for teachers. We switched the site to use SSL and purchased a GoDaddy SSL cert (the wildcard type). The common name on the certificate I created in Server Admin is for *.e-lcds.org, this is the same common name I gave to GoDaddy in the CSR.
I received both the certificate and the intermediate certificate from GoDaddy and installed both. Server Admin now says that the site is signed correctly by GoDaddy. The intermediate certificate (looking at Keychain Access) is not signed correctly though according to the server. The error is "This certificate was signed by an unknown authority"
In the process of originally trying to figure out SSL certs I deleted all of the GoDaddy ones which I (thought) had added to start with a new one and have it re-keyed (which worked). I unfortunately may have deleted whatever certs need to be installed to verify the intermediate cert from GoDaddy. Is there a way to re-add these? Or is this another issue altogether?
Thanks in advance,
-MRCUR

I ended up wiping the server since we switched it's roles with a Linux box. I'm now using the GoDaddy SSL cert on the Linux box and the XServe.

MSE - Mobile Intelligent Roaming is it ready to roll out

Hi Guys
Looking at rolling out wifi to cellular roaming, looking at solutions such as Devitas, Agito. Is the Mobile Intelligent Roaming on the MSE in a state where it is stable to be rolled out and have several case studies.
many thanks

hello, Ive since performed a battery test
80gb classic
Music
38.5 hours
one track played over 24hours repeat
then album for so many more times
then various other tracks through the night for variety to simulate use
video
6.30 + hours
two itunes music videos played in repeat in playlist only two vids I had on it. even after quickly checking if the videos would repeat in loop by searching through songs once before test
I am quite impressed with these stats and hope it will live up to normal use of converted youtube music vid, mp3 files back and forth maybe a game played here and there
hope it can
Message was edited by: vacant

TCP packet out of state: First packet isn't SYN & Outlook is trying to retrieve data from the Microsoft Exchange Server [CAS-ARray]

We are transitioning from Exchange 2003 to Exchange 2010. We found Outlook online mode (non-cached mode) have many warning "Outlook is trying to retrieve data from the Microsoft Exchange Server [CAS-ARray]", usually happen when users tried to open
address book but sometimes even normal operation like click the Send button. The problem does not affect OWA and extremely rare when Outlook is running in cached mode. Check the firewall logs, we notice a lot of "TCP Packet Out of State" drops.
We have a lot from the CAS/HT to DC/GC on TCP_3268 and LDAP. And the errors are "TCP packet out of state: First packet isn't SYN" with tcp_flags FIN-ACK, PUSH-ACK.
We also have a lot from CAS/HT to the Outlook Clients on the static RPC port (TCP_59933). And the errors are "TCP packet out of state: First packet isn't SYN" with tcp_flags FIN-ACK, PUSH-ACK and RST-ACK, ACK.
This happens even on Outlook 2010 which I though it has TCP Keep Alive implmented to keep the session active within 1 hour.
Can somebody tell me if these out-of-state are the cause of our problem? And how to fix it?
THANK 1,000,000

Hello AndyHWC,
I did some consulting with our CAS team and received the following feedback to your post:
It is difficult to determine what is causing resets without seeing the captures first hand however, the concern is that you are seeing dropped packets on the firewall logs. Where is this firewall located?
Based on the description "Check the firewall logs, we notice a lot of "TCP Packet Out of State" drops." and "We have a lot from the CAS/HT to DC/GC on TCP_3268 and
LDAP." indicates to me that the firewall is between CAS and GC. This not supported under any circumstances and would explain the issue they are seeing with clients trying to "retrieve data from the GC".
If there is not a firewall between the GC and CAS then a Microsoft support engineer would need to have concurrent Netmon Captures from client, CAS, GC during the
issue to analyze. If only one GC exists consider adding another GC to handle the client requests and for fault tolerance.
Also verify that all NIC card drivers are updated to the latest driver version
More information about firewalls with Exchange 2007/2010
http://msexchangeteam.com/archive/2009/10/21/452929.aspx
http://technet.microsoft.com/en-us/library/bb232184(EXCHG.80).aspx
You can install the Client Access server role on an Exchange 2007 computer that is running any other server roles except for the Edge Transport server role. You
cannot install the Client Access server role on a computer that is installed in a cluster. Installation of a Client Access server in a perimeter network is not supported.
http://technet.microsoft.com/en-us/library/dd577077(EXCHG.80).aspx
“The Installation of a Client Access Server in a Perimeter Network Is Not Supported
Issue You may want to install an Exchange 2007 Client Access server in a perimeter network. However, this type of installation is not supported in Exchange
2007.
Cause The Exchange 2007 Client Access server role is not supported in any configuration in which a firewall is located between the Client Access server
and a Mailbox server or a domain controller. This includes firewall devices, firewall programs, or any program or device that is designed to restrict traffic between two network locations.
For correct operation, Client Access servers require typical domain connectivity to domain controllers and global catalog servers. Because any devices
or programs that restrict or reduce access to domain controllers or global catalog servers may affect the correct operation of the Client Access server, we do not support this type of configuration.
Resolution To resolve this issue, move the Client Access servers to the internal network. For more information about the ports that Exchange 2007 uses
for various services, see Data Path Security Reference.”
Thanks,
Kevin Ca - MSFT
Kevin Ca - MSFT

IMAP Mail Setup with self-signed SSL certs

I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

EXCH2010 CAS Array still appearing

Hi everyone!
I am mid-migration from exchange 2007 to exchange 2010. My new 2010 environment has an issue. The original cas array was configured with an FQDN of mail.x.com and I ended up deleting the array and re-creating it to webmail.x.com (because that's how the cert
looks). Problem is, some clients are connecting to mail.x.com. It's causing client cert errors and I cannot figure out why.
Doing a get-clientaccessarray, I get only webmail.x.com
Anyone have any thoughts towards this? How do I find and get rid of mail.x.com? Is it somewhere on the server still?

Hi
The certificate is not used by MAPI connections so your CAS array doesn't and shouldn't appear on the certificate. The certificate error will be coming from either the EWS or OAB virtual directory paths.
Steve
I just checked the OAB Virtual Directory and:
Server Name Internal Url External
Url
EX2007SRV1 OAB (Default Web Site) https://legacy.domain.com https://legacy.domain.com
EX2007SRV2 OAB (Default Web Site) https://legacy.domain.com https://legacy.domain.com
EX2007SRV3 OAB (Default Web Site) https://webmail.domain.com https://webmail.domain.com
EX2010SRV1 OAB (Default Web Site) https://webmail.domain.com https://webmail.domain.com
EX2010SRV2 OAB (Default Web Site) https://webmail.domain.com https://webmail.domain.com
I noticed one of the 2007 Servers is reporting back as webmail... perhaps that's the issue and why it's intermittent? There is no webmail name in the cert for the 2007 server.
Ok wait... I think you just resolved one issue, but it wasnt the one I was posting about!
I'm still seeing mail.domain.com coming from a couple outlook clients.

Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

Coldfusion 11
Windows Server 2012 R2
Both the Coldfusion admin and additonal site work fine on HTTP.
As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
Coldfusion 11 - Web Sockets via SSL
The Coldfusion-error.log shows
Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
Any assistance welcome - I can't allow this site to made publicly available with using SSL.
SM

@Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release. And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
Finally, when you say that if you “comment out the SSL sections it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
/charlie

SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

I utilized the idea from
http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance. In short, create the new Clustered SQL instance on Node1,
installing Reporting Services with it. Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
feature on Node2. It points out using the SQL Cluster Network name for connecting to Reporting Services.
I verified upon failover that I could still access the Reports and ReportServer URLs. However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert. The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

Expired internal SSL cert on SGD 4.5?

Upgraded Solaris SGD from 4.41.to 4.5. I use a SSL cert for our site, which is working fine. SGD login prompt appears and cert can be viewed and verified.
However after logging in, I get a security warning on tcchelper saying that Sun's own Verisign certificate expired on 8/29/2010. Is a current cert available?

yes, please open a case with Oracle Support and we will provide you an update on SGD 4.50.933.

Is there any way to treat expired SSL certs in HTTPS connections as non-secure?

Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.

Check out:
http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
You will need to turn on Client Auth as described above. Hope it helps.

How to get OS X to accept an SSL Cert the way other UNIX clients do?

I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
Any suggestions would be appreciated.
Thanks in advance--
=N=

when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
what unix apps are you using to connect to this server?

Webserver refuses to take SSL cert

My SSL cert is installed on my server and when I go to Settings pane in Server.app for the host and edit "SSL Certificate" and choose my cert, the UI will collapse the pane below showing the various services. This is because it applies the cert to all services. When I click OK to accept the setting, it should show my cert right after "SSL Cert:" because should now be applied to all services.
Instead it shows "Custom". When click th "Edit" button again to see whats going on, it shows that all services are using my cert - except the last one - "Websites (Server Website - SSL)"
For that, is simply shows "None". Changing it to my cert then clicking OK, has no effect. It just reverts back to "None".
Apache wont start because there is no cert specified and specifying it manually in ..
"/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
..does no good because OS X simply overwrites it from some place.
So at this point it's impossible to get Apache going on this host. The Server application refuses to accept my cert for the website. I dont get any errors and I dont see any in the logs either pertaining to some failure to apply the setting.
Any ideas?

I forgot to mention that when the Certificate Assistant ask for the Issuer in one of its screen, choose the Intermediate CA certificate. Also, the four PEM files is created in /etc/certificates.
On a fresh Server app install after your get OD Master running or after you have done the web:command=restoreFactorySettings, visit Server app Certificates screen and Custom select the just created Leaf SSL Certificate next to the Web (Default Server - SSL). This will create the default SSL certificate in the Web service window.
Also, if any one of the three *conf files are missing in the sites folder, Server app will hose the folder by renaming it as sites-unusable-nnnn and recreate a fresh sites folder with fresh copies of the *.conf files. In addition, if you read the comments within the 0000_any_80_.conf and 0000_any_443_.conf files, there are certain apache http directives which are off-limits to administrator as Server app will modify their values. It suggests that you create a .conf files with your amendments (of course, they must be within the Virtual Host context) and use an Include directive or through the use of the WebApps mechanism.
Furthermore, you must not set a specific IP address for all your virtual hosts but use Any instead. Since I want to use the built-in Wiki service, I have added wiki.domain.com as Additional Domains for both the Default Servers (since the Default Servers refuse to use ServerName). For my case, since I have multiple IP addresses, I have to specifically amend the virtual_host_global.conf file with a static IP address for the Listen 80 and 443 directives, and since Server app will undo the amendment within the sites folder, I have to bring the virtual_host_global.conf file up one level to the apache2/ folder, amend httpd_server_app.conf to load this virtual_host_global.conf file instead...see below the relevant section of my httpd_server_app.conf file:
<IfDefine WEBSERVICE_ON>
    Include /Library/Server/Web/Config/apache2/sites/0000_*.conf     <--- instead of "*.conf"
</IfDefine>
<IfDefine !WEBSERVICE_ON>
#    Include /Library/Server/Web/Config/apache2/sites/virtual_host_global.conf
    Include /Library/Server/Web/Config/apache2/sites/0000_any_80_.conf
    Include /Library/Server/Web/Config/apache2/sites/0000_any_443_.conf
</IfDefine>
Include /Library/Server/Web/Config/apache2/virtual_host_global.conf
Include /Library/Server/Web/Config/apache2/httpd_server_app_tweaks.conf
The httpd_server_app_tweaks.conf file is my performance tweaks (e.g. StartServers, MinSpareServers, etc.)
So Server app can happily modify the virtual_host_global.conf file within the sites folder but my settings remain safe one level up.

Changing SSL Cert, how do you update the trust profile for devices.

I am in the process of changing out the ssl cert for the trust profile (going from a self-signed to a signed cert). How do you update the trust profile on the devices already paired with the server.

Yes, the linked smart object can be either raster or vector, but they will be placed as raster images, just as the embedded SO are. SO can be embedded or linked to an outside file. Edits to the original will not update in the original until you select "Update modified content from the menu" when you reopen the file that has the place SO in it. otherwise it will update when you save the linked file. Yes, there still is an advantage to having an embedded SO. You may not want to maintain the links - send a file off and forget to include the linked files. You may want to alter the SO, but not the original file.
Ah, thanks. But does this mean that raster and vector smart objects can EITHER be located within the Photoshop file (as they have been since their advent) OR linked to an external file?
And if so,
1. Can this linked file be either raster or vector?
2. Do edits to it automatically update the Photoshop file?
3. Is ther any longer any advantage to having the smart object data stored within the Photoshop file when it can be linked?

SSL Cert Renewal w/Org Name Change

Hello,
We get our SSL certs from a central agency that deals with Verisign. The central agency changed their name, which changes the Organization Name on the cert. That prevents the cert from being imported by the server. On the advice of a Windows admin, I tried to fake it by creating a new site on that server, importing the new cert (all good), but then the new server won't start.
Is there a better way to get the new-org-named cert accepted by the original site?
Steve Kayner

Are you talking about changing your SMTP domain name? Or you want to change AD DS domain name? If you want to change/add SMTP domain that you Exchange is using, just add accepted domain that you wish to use.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Damir

SSL cert error on exchange 2013.

Hi,
Can I please have some help to avoid the following two error messages appears on opening outlook 2013 on windows 7 connected directly to the server 2012 domain.
Godaddy SSL cert is installed on mail.domain.com and firewall forwarding is properly setup.
There is NO error message if we connect through outlook (AnyWhere) on a system which is not part of the domain and connecting from outside.
Error Box 1
Security Alert
servername.localdomain.local
Information you exchange with this site cannot be viewed or changed...................
The security certificate is from a trusted certifying authority.
The security certificate date us valid
X The name on the security certificate is invalid or does not match the name of the site....
Error box 2
Microsoft Outlook
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site servername.localdomain.local
Outlook is unable to connect to the proxy server. (Error Code 10)
Any quick help will be highly appreciated!
Many thanks

Hi,
Are you using a Single domain cert by GoDaddy, if thats the case we cannot add more than one domain to your cert. I believe you have added the outlook anywhere domain name to your cert since your outlook anywhere connection is prompting any errors.
You have two options, one is purchase a UCC Cert and add all URL's required or Please have a look on these below Virtual Directories on the exchange server and modify the the URL's so you will not get the Cert errors.
use the shell to view the internal and external URL's,
Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl
Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
Get-ECPVirtualDirectory | fl internalurl,externalurl
Get-OabVirtualDirectory | fl internalurl,externalurl
Get-WebServicesVirtualDirectory | fl internalurl,externalurl
Change all your internal URL's similar to the external URL's, use the Set command as the example below.
Get-AutodiscoverVirtualDirectory -server EXCHANGE | Set-AutodiscoverVirtualDirectory -ExternalUrl ‘https://mail.domain.com/Autodiscover/Autodiscover.xml’
make sure all your servername.localdomain.local URL's are changed to match primary certificate name.
Regards
Boniface

Rolling out SSL cert on CAS array

Similar Messages

Maybe you are looking for