Digicert Third Party SSL showing invalid

Dear Team,

My CAS + MB mail servers name FQDN are :

1) mail1.xyz.com 2) mail2.xyz.com

Im using Split brain DNS scenario to resolve server names using mail.xyz.gov.in and changed all virtual directories Internal and external URLs to mail.xyz.gov.in.

URL:  mail.xyz.gov.in  point to physical server mail1.xyz.com and mail2.xyz.com using hardware load-balancer.

In SSL, I added the following SANs brought it from Digicert and private key has added in the certificate.

mail.xyz.gov.in, autodiscover.xyz.gov.in. imap.xyz.gov.in, pop.xyz.gov.in, edge.xyz.gov.in and sent DSR to Digicert.

After completing the request with generated certificate , Im getting error certificate status Invalid.

Q :

Is that SSL error is because of , domain name mismatch in SSL SAN and actual FQDN of the server ?
Is it required to add single SAN with mail.xyz.com as a common name ?

T & R,

K

March 20th, 2015 4:44am

Hi Kamlesh,

I think you have already opened another discussion for the same issue, 

You would need to add you FQDN of your Exchange server in SAN certificate to get it working fine.

Free Windows Admin Tool Kit Click here and download it now
March 20th, 2015 4:51am

Hi Deepak,

In my case what will be the common name and SAN names which I need to add in DSR ?

is it                                

mail1.xyz.com , mail2.xyz.com , mail.xyz.com (Common Name) ---> For Internal Physical Server name

mail.xyz.gov.in , autodiscover.xyz.gov.in , imap.xyz.gov.in ---> For Internet server Name resoluton

but what will be the actual requirement if I have 2 nos CA + MB Servers in that if I'll add more servers in DAG then again it will need to add the SAN name of that server.

T & R,

Kamlesh

March 20th, 2015 5:54am

You shouldn't need your server names on your certificate.  Can you run? Is mail.xyz.com on your cert?

Run the following:

Get-OutlookProvider

Get-OutlookAnywhere | fl name, *host*

Get-ClientAccessServer | fl identity, *autodiscover*

Free Windows Admin Tool Kit Click here and download it now
March 20th, 2015 6:28am

Hi ,

Is mail.xyz.com on your cert - No

Plz find the output.

[PS] C:\Windows\system32>Get-OutlookProvider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1


[PS] C:\Windows\system32>
[PS] C:\Windows\system32>Get-OutlookAnywhere | fl name, *host*


Name             : Rpc (Default Web Site)
ExternalHostname : mail.xyz.gov.in
InternalHostname : mail.xyz.gov.in

Name             : Rpc (Default Web Site)
ExternalHostname : mail.xyz.gov.in
InternalHostname : mail.xyz.gov.in

[PS] C:\Windows\system32>Get-ClientAccessServer | fl identity, *autodiscover*


Identity                       : DCCAMB1
AutoDiscoverServiceCN          : DCCAMB1
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.xyz.gov.in/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}

Identity                       : DCCAMB2
AutoDiscoverServiceCN          : DCCAMB2
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.xyz.gov.in/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}

Thanks in advance.

T & R,

Kamlesh

March 20th, 2015 6:53am

Can you post a screen shot of the cert error you are getting?
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2015 9:07am

Dear All,

Issue has been resolved after importing intermediate certificate.cer on every CA+MB server in DAG.

Thanks you all for your support.

T & R,

Kamlesh

March 21st, 2015 3:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics