Hi, I'm trying to create a certificate for my exchange server which included the autodiscover url using the command shell. However, I seem to have trouble to get the friendly name into the certificate. When using the following commandline: New-ExchangeCertificate -generaterequest -FriendlyName <Firnedly name> -subjectname <subject> -domainname <domains> -path c:\certrequest_cas01.txt -privatekeyexportable:$true to generate the request and use that request to generate the certificate on Windows 2003 certificate cervices, the FriendlyName doesn't appear and show up as <none> when importing the certificate. This poses problems when using this certificate on ISA 2006 server. Client report that the certificate is untrusted. Generating a certificate from IIS (but then without the multiple domain names) the FriendlyName is populated. Any ideas ? Franc.

Hi, well I'm not sure if the friendlyname has anything to do with it, but as soon as I create a certificate containing multiple domain names (Subject Alternative Name) and the friendlyname is missing,my Nokia E70 reports that it's an untrusted certificate. Any suggestions ? Franc.

I can't test your situation directly and am having to make some guesses about what you've already tried. I have two suggestions for you to try.I assume that you may have made previous attempts to get this to work using the same value for the same value of the -path parameter.Try the command you believe to be correct but add the -force parameter.Also try -generateRequest:$true instead of your current syntax for that parameter.Try that with and without the -force parameter.

Franc, Friendly name is not a critical part of the certificate itself, it is just an extra field when you import the cert into a certificate store, so what you can do is specify it on the Import-ExchangeCertificate cmd. AFAIK friendly name has no impact on whether or not the certificate is trusted or not (That is determined by client having the certificate of the CA used to create the cert in it's trusted root certificates) Andre.

Hi, Just tried it. It appears that as soon as I use Alternatives Names on the certificate, my nokia E70 doesn't like the certificate anymore. If I use a wildcard certificate then my Nokia accepts it fine, but then Windows Mobile 2005 doesn't accept it... Wonderfull world of compatibility here... Franc.

Franc, Are both certificates generated by your own CA, or by a public CA (such as Verisign) ? I suspect that your wildcard is from a public CA, and therefore your E70 accepts it, and your cert with the alternative names is something that was created using your own CA, and therefore the Nokia does not accept it. If that is the case, thenmy assesment isthat your problemhas nothing to do with the get-NewExchangeCertificate commandlet or the friendly name, or Subject alternative names. If your cert with Subject alternative names is from a trusted root CA, then your device does not support the X509 v3 extentions (where subject alternative names are introduced, and you will have to make sure that the Common Name on the cert is the name that you use for access) If the cert with Subject alternative names is created byyour own CA, thenyou can trytoseek a way to install the your root CA certificate into the trusted root store of your device (not sure if this is possible) Alternatively, If you have an ISA firewall, you could try to attach the wildcard cert to the public listener, and use your own cert on your exchange server, and configure SSL to SSL bridging. (No guarantees, as I have no first hand experience with your situation). G'luck, Andre.

Hi, all certificates we use are created using our own Windows 2003 CA. It works perfectly when using only the commong name. However, as soon as you use the common name in conjunction with Subject Alternate Names it fails on my Nokia. We already do use ISA, but have one listened. This listener is configured with the certificate. As soon as I use the wilcard certificate it works fine for my nokia, but then the WM2005 devices can't sync anymore (certificate error). When I install the certificate with the Subject Alternative Names, the WM2005 devices sync fine, but then the Nokia E70 doesn't. Only thing I can think of now is configuring a second listener with the autodiscovery certificate on it. Howver, this will not work, since we only have one external IP address. Wish there was a way to reconfigure outlook 2007 to use a different URL for the autodiscover URL. That would solve all issues. Franc.