Exchange Server 2003 Certificate Authority Problem
New to exchange server and CA both. We have Server 2003 std. configured as both an Exchange Server and a Certificate Authority. We recently began to experience problems with the security certificate issued by the CA and used by remote users to connect to the exchange server for email from outside the office. The certificate had not expired, yet we received the "certificate invalid" message when Outlook tried to connect. Internally we can still connect just fine. Now, however, we no longer receive even the error message when trying to connect from outside - Outlook just presents a "trying connect" and then "disconnected" message. We also used to be able to use OWA, but that is totally blocked. IE simply says "cannot connect to webpage" and Google Chrome says "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error" In trying to fix the problem, I'm afraid we may have bungled up more than we fixed. It's difficult to tell, however, since an outside company set up our system initially, and - although I'm no network/exchange admin - there seem to be a lot of extraneous revoked certificates, duplicate issues, and so on. At this point, is there any way to just "start over" with the certificate authority to start from scratch? And if so, can anyone point me to a good reference (the Microsoft Help sections really are cryptic)? Or would it be better to try to fix the problem? I realize I left out a lot of information that may be useful in helping to solve this problem, but I wanted to start somewhere. If someone is inclined to help, I would appreciate it.Sean
May 13th, 2012 11:03pm

If you're issuing an SSL cert from your CA for your exchange 2003 that can be expected because it's not issued by a third party CA such as verisign, netsol, godaddy etc. Now why was it working before? Possible because you may have been pushing the cert to your domain clients via GPO. When using internal CA certs you will run into these issues because it is not inherently trusted by default so users will get cert errors on owa, and outlook anywhere. I would recommend to purchase a third party cert.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 11:15am

Evan Actually, to enable a client outside of our network/domain to connect to the exchange server (usually through Outlook, though also through OWA) we issue certificates from the CA, then copy them to the client/remote machine and install them in the trusted root of the certificate store. This has worked great for the past few years, is inexpensive, and provides enough security for our needs. From my understanding of the process, a CA can self-sign and then issue certificates based on its own certificate chain. I'm at a loss as to why the CA suddenly stopped validating itself. At this point, we've hired an outside company that we've used before - good, knowledgeable, but pricey (still not as much as buying a third-party cert.) - to correct the problem for us. If I can find out what the problem was after they've fixed it, I'll try to post it back here since I've seen that a there have been a few views on this thread. Thanks for responding, Evan.Sean
May 15th, 2012 10:20am

Your understanding is correct, when using internal certs the internal CA has to get imported into your client computers so it's trusted. For domain joined it's already trusted, but non domain joined you have to manually import it. As to why it suddenly doesnt like to cert, check the cert on the client machine. Log into OWA and once you get the cert error, click on the icon on the right side of the tool bar usually there is a red x. View the cert and it should give you some reason. Maybe it got deleted from the cert store on the client. Now again you're trying to support a production environment with an internal cert for a resource that is published for users across the internet its not best practice. Certs are not expensive, you can get one for under 100.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 10:28am

Wow! I didn't realize they were that inexpensive. I think we may look into that option. Right now, however, we're fixed. Somehow or another - but fortunately not as a result of my inexperienced bungling around in the CA - the Exchange Server "lost" its own certification. Something I noticed and that the tech who just fixed the problem noticed is that the CA's own certificate appeared to be there and valid, and even gave the option to view it, but when the view button was clicked, nothing happened. He knew how to remove the "ghost," however (I did not), and reissue its own certificate, which then satisfied all clients seeking to connect that the server was valid with a valid cert identifying itself as itself. Once that happened, all certificates that had been previously issued by that CA suddenly trusted the source again, and all is well. James, thanks for your input. Sorry for incorrectly referring to you as Evan! (I think I was looking at another thread at the time.)Sean
May 15th, 2012 12:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics