X509 and MS Exchange Certificate

Similar Messages

• Lync + Exchange certificate

  Hello guys,
  I want to go through the PIC provisioning process so that my lync users can communicate with Skype users. I am aware that i need a public certificate for my edge server in order to do this. Right now i have certificates for my Exchange 2013 and Lync 2013
  from my internal CA and i want to replace the Lync Edge certificate and the Exchange Certificate with a public one(SAN, i want all the FQDNs on one certificate). I have read other articles on this but i want to be sure so please hear me out.
  1) My Lync Edge server has only one external intereface with the FQDN sip.contoso.com. From what i've read i cant use wildcard certificates with this interface, so i must use SANs.
  2) My Exchange uses one namespace: mail.contoso.com. Also i need autodiscover.contoso.com for autodiscovery.
  So the certificate will look something like:
  CN: sip.contoso.com
  SAN: mail.contoso.com, autodiscover.contoso.com
  Do i need to put sip.contoso.com or anything else in SAN also?
  I'm going to test this with an internal certificate before i buy a public one, but i want a second opinion before testing on a production environment.
  Thank you

  Hi,
  I would say , we should include sip.domain.com in certificate SAN entry. Few validation checks will skip subject name and verify SAN in the certificate. Following article may help you ;
  http://technet.microsoft.com/en-us/library/gg398519.aspx
  Thanks
  Saleesh
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Blog : http://blogs.technet.com/b/saleesh_nv/

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• Differences between SSL and Code-Signing Certificates

  Hello,
  I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
  Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
  Ulf

  yep, looks like it.
  keytool can be used with v3 x509 stores:
  Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
  jarsigner needs a keystore so I would assume public and private key pair.
  you could list the keys from your store:
  C:\temp>keytool -list -keystore serverkeys.key
  Enter keystore password: storepass
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  client, Jul 5, 2005, trustedCertEntry,
  Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
  server, Jul 5, 2005, keyEntry,
  Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
  The server is the private key, this can be used with jarsigner (alias option).
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar client
  jarsigner: Certificate chain not found for: client. client must reference a val
  id KeyStore key entry containing a private key and corresponding public key cert
  ificate chain.
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar server

• RESOLVED On Premises (intranet use only) Exchange Certificate Help (Please)!

  I apologize in advance for what may end up being a very silly issue.
  I have racked my brain and read and searched and I still can't seem to find the answer to my question.
  I have an in house Exchange server that is only accessible internally. We do not have external clients (laptops/tablets/etc) and all computers stay on premises. Most of our clients use OWA to access email. Everything has been working fine up until about
  2 weeks ago when everybody started getting a certificate error. I have tried every thing I can find to fix this issue to no avail. It seems the thumbprint of the certificate is different each time I visit the exchange server (https://exchange/owa). So I can
  install the certificate which works for a few minutes and then it prompts me again. When looking at the thumb print of each instance, everything seems to be exactly the same with the exception of the thumbprint.
  My first question, is do I still need to go through a CA even though this server is not accessible via external IP?
  Where are my clients getting the certificate they are trying to install because they do not match the certificate that is installed on the Exchange Server.
  Thank you in advance for anybody that can steer me in the right direction to getting this resolved.
  I support this site remotely so any additional info can be provided but there might be a small delay.

  First, thank you for taking the time to respond.
  "I'm going to assume that you have some sort of PKI infrastructure with in your environment."
  I'm not sure I do. This project landed in my lap a few years ago. This particular client is my only client
  with exchange. I have limped my way though to this point but I'm afraid I'm just not clear on what it is I actually need.
  We are running Exchange 2013 on a Server 2008 box. Everything worked fine up until about 2 weeks ago. I have no idea what changed.
  I think my biggest problem is my lack of understanding of where the client is pulling the certificate when I access the intranet site. I don't understand why the certificate (whether valid or not) isn't matching the certificate within IIS/Exchange admin.
  Hi,
  I think you can check your certificate information and provide the information here for more help. Please run the following command in Exchange Management Shell:
  Get-ExchangeCertificate | fl
  Additionally, since the certificate issue occurs when accessing Exchange server from OWA, please check the OWA configuration in your Exchange:
  Get-OwaVirtualDirectory | FL Identity,*Authentication*,*url*
  Generally, the namespace used in the OWA URL should be included in the Exchange certificate which is assigned with IIS service.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Exchange certificate error

  Hi Guys,
  I am in the process of upgrading my exchange 2007 to 2013. i now have setup a 2013 server successfully. However, i seem to be having problems with my exchange certificate. Everytime i open my outlook it comes up with the dialogue gox below
  The old server is still in the envirnoment so i was thinking its certificate is the one being picked up. could this be that the CAS is still on the old server? if yes, how to i transfer it. if otherwise, please assist.
  Regards,
  BJ

  Hi,
  I suggest try to re-create profile to refresh the caches for testing.
  If doesn't work, please try to check following checkpoints:
  1. Open IE and browse RPC URL, https://mail.domain.com/rpc, to examine the certificate.
  2. Install the trusted root certificate.
  3. Disable the 3rd party add-in or the 3rd party browser add-in.
  More details to refer following KB:
  Error message when Outlook tries to connect to a server by using an RPC connection or an HTTPS connection: "There is a problem with the proxy server's security certificate"
  https://support.microsoft.com/kb/923575?wa=wsignin1.0 
  Also provide an FAQ for your reference:
  Checklist for Exchange Certificate issues
  https://social.technet.microsoft.com/Forums/en-US/fa78799b-5c55-4c71-973b-0e186612ff6f/checklist-for-exchange-certificate-issues?forum=exchangesvrgeneral
  Thanks
  Mavis Huang
  TechNet Community Support

• OIF-do I need to exchange certificate,keys if using selfsigned certificate?

  I have setup OIF federated authentication and it works between SP and IdP. I think I'm using self-signed certificates.
  With my setup, I did not have to exchange certificate between SP and IdP, however, my customer (IdP side) told me that I need to exchange with them the self-signed certificates and public key/private key.
  Do I need to exchange self-signed certificates and public key/private key between SP and IdP or only third party CA signed certs need to be exchanged?
  Also, to exchange certificate, I thought I just need to add it through "Trusted CAs and CRLs" in EM, but I'm not sure how to exchange public key/private key?
  Thanks

  I got "exchange certificate" working by enable certificate validation and adding IdP's certificate to SP or vice versa. the configuration was done through "Trusted CAs and CRLs" in OIF EM.
  However, I'm not sure what "public key needs to be exchanged" means. Could you please tell me what to do? or, are you saying public key is part of certificate and it exchanged by exchangeing certificate?
  Thanks

• Netbios names on exchange certificates

  Hi, 
  Is it not best practice to include the server netbios name in the SAN on the Exch 2013 SSL cert? Also is it even supported as I see some suggestions that netbios names on exchange certs is not often supported by online certificate authorities.
  Thanks 

  Hello,
  Since the certificate SAN name can be seen by public. If any security issues are not cared, it’s fine to add it to the SAN name.
  More information and best practices for Exchange Certificate in:
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• I have 4 email accounts in apple Mail.  My mail is sending from the wrong account.  even on "reply" it sends from a different account.  I have 3 gmail accounts and one exchange server account. I choose which account to send from and it still sends from a

  I have 4 email accounts in apple Mail.  My mail is sending from the wrong account.  even on "reply" it sends from a different account.  I have 3 gmail accounts and one exchange server account. I choose which account to send from and it still sends from the same gmail account.  Help.

  I HAD two accounts because of this problem.  I completely removed the problem account from the Apple Mail client.  Guess what is happening??  That's right - Mail is still sending from the other account that no longer exists on my computer, and I have absolutely no idea how this is happening.  This is incredibly frustrating.  When a recipient chooses to reply to my message, quite often I won't get it now because it is going to the other account that has now been deleted from my system.  COME ON APPLE!!! WHAT'S THE DEAL WITH THIS???

• I am using an iPad and iPhone and have exchange as my email. Both will only collect mails when I am in the wifi of the office, and not when I am out and about. I can't seem to get a fix for it.

  I am using an iPad and iPhone and have exchange as my email. Both will only collect mails when I am in the wifi of the office, and not when I am out and about. I can't seem to get a fix for it.

  This - https://support.mozilla.org/en-US/kb/how-make-web-links-open-firefox-default - didn't work?

• MAJOR PROBLEMS WITH IPHONE 3G AND MICROSOFT EXCHANGE!!!! PLEASE HELP!!!!

  Ok,
  My exchange server at work was synced to my iphone and has worked with no issues. I then exchanged my phone because there were issues with my bluetooth not syncing properly. So with this new phone, it prompts me to enter in my exchange server password every few days. I contacted my IT department as well and microsoft to get this issue resolved because I assume that there were issues with the exchange server. They were both able to see an event viewer and it showed that my iphone was attempting to log in numerous amounts of times, which locks out my account after 3 incorrect log ins. Even when I erased the exchange account from my phone, it still showed that the phone in the event viewer was trying to log in over and over again. I then did a master clear and restore and the process was removed in the event viewer. So then I called my IT department to unlock my account after I cleared everything. I was able to sync everything again with it working properly. Now its a day later and the my exchanger server prompts me to enter in the password AGAIN and my exchange account is locked AGAIN because the event viewer at work is showing the same issues. Is my Iphone not saving the password correctly? What do I do? My IT department even created a dummy account to see if a new account would fix the issues but yet no cigar! HELP!!

  The iPhone you returned is still syncing against your server and locking out your account. Someone possibly has access to your mail data. I'd recommend having your Exchange Administrator install the Microsoft Exchange Server ActiveSync Web Administration Tool (http://www.microsoft.com/downloads/details.aspx?FamilyID=E6851D23-D145-4DBF-A2CC -E0B4C6301453&displaylang=en) and attempt to wipe/delete/block that other iPhone.
  Message was edited by: ethanm

• Hi! I've got CS3 Design Standard - the actual disks and Software License certificate. It was installed on my laptop which crashed and could therefore not be uninstalled. I have now installed it on my new MacBook Pro, but cannot get it registered with the

  Hi! I've got CS3 Design Standard - the actual disks and Software License certificate. It was installed on my laptop which crashed and could therefore not be uninstalled. I have now installed it on my new MacBook Pro, but cannot get it registered with the serial number. Is it because it wasn't uninstalled on the previous laptop? What to do now?? Thx!

  Maybe this can help someone else...  I simply had to properly uninstall CS3 and reinstall it again after that.  I think that sorted it!  I also remember having a similar issue with Macs at work a couple of years back.  Not sure whether the same applies to CS5/CS6.  Here's a link on how to properly uninstall CS3 on Windows XP, Windows Vista and Mac OS.  I'm on OS X 10.9.2 but it worked just fine.  Remove Creative Suite 3 and CS3 products

• Administration Node and non-default certificate

  Hello,
  We are running our administration server on one host, and we have multiple other hosts configured as administration nodes. We used our company CA to generate a server certificate for our administration server, and that appears to be working fine. We tried to do the same thing on our administration nodes, and something curious is happening.
  I used certutil -R to generate a CSR and private key. I then took the generated CSR, obtained a signed certificate from our company CA, then used certutil -A -t u,u,u to install it (and certutil -A -t CT,, to install the CA cert itself). Running certutil -L, I see that in addition to the default Admin-CA-Cert and Admin-Server-Cert our company CA cert and the newly signed cert show up. So far, so good.
  Next, I modified the server.xml to specify the server-cert-nickname as that assigned to my new cert.
  To put these changes into effect, I stop and start the admin server, but upon doing so, I see this message:
  warning: LCM0006: Lifecycle module [AdminLifecycleModule] threw ServerLifecycleException [com.sun.web.admin.exceptions.AdminException: ADMIN3668: Cannot start an unregistered node. Register with an administration server. ]
  OK, so I run wadm register-node to re-register the admin node (presumably it needs to tell the admin server about our new certificate) and then start the admin server again, and it starts. Problem is, the act of running wadm register-node has reset the server-cert-nickname back to the default (Admin-Server-Cert) and even more bizarre, has deleted both our local CA and my new certificate from the certificate & key database.
  How do I - or is it even possible to - run my admin nodes with certs signed by our company CA?
  Thanks,
  Bill

  Hi,
  Can u explain the problem elaborately
  Thanks,
  Raj_indts
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support"

• ABAP STACK and JAVA STACK certificates

  Hi Fiends,
  I have requirement in which I want to use HTTP adapter to send message and apply security certificate. I got from sdn that if I wan to use http adapter with certificate than I have to install certificates in ABAP stack.
  My problem is I had one scenario in which I am using BC adapter to send message with security certificate and for that I had applied certificates in java stack and its working properly.
  My question is,
  Is it possible to use Java Stack and ABAP STACK together..?
  I mean is it possible to implement both of the above scenario in same xi system?

  Hi Soni,
  You cannot use the same certifcates wihch you installed in Java stack with abap stack. You need to install separealy on teh abap stack.
  For HTTP communication you dont need to install certificates. You only need when you want to use HTTPS communication. So if you want to use HTTPS communication and want to use SOAP adapter then you can use ther certifcates which is already installed on java stack. But if you want to use HTTP adapter then you need to install in ABAP stack.
  Please see this hlep on how to install on the java stack and the process behind it:
  http://www.i-barile.it/SDN/EnablingSSL&ClientCertificatesOnTheSAPJ2EEEngine.pdf
  Also check this help:
  http://help.sap.com/saphelp_nw04/helpdata/de/14/ef2940cbf2195de10000000a1550b0/content.htm
  on abap stack check seshus response:
  HTTPS  enabling
  Regards,
  ---Satish

• Suggestion for Pricing Type and Pricing Exchange Rate Type

  Dear All,
  Good Day,
  what would be your recommendation to maintain Pricing type and Pricing exchange rate type for below process. 
  1. Invocie.
  2. Cancellation of Invoice.
  3. Return Invoice.
  4. Credit Note.
  5. litigious Invoice.
  Best Regards,
  KSK

  Thanks sam,
  I have configured the same but now problem is Billing Header Exchange rate is not changing. Because of that Accounting document also doesn't have new exchange rate,.
  1. Is there any another config needs to be maintain.
  Example:
  Sale order  Exchange rate              10.45           Order date  :  01.11.2008
  Billing Header Exchange Rate         10.45           Billing date :  05.11.2008
  Billing Line item Exchange Rate      11.00           Billing date :  05.11.2008 base on VTFL Config
  Account Document Exchange Rate 10.45          Posting date : 05.11.2008 because of Billing Header exchange Rate
  I need Accounting document also to carry New exchange rate 11.00 . suggest me.
  Best Regards,
  KSK