SSL Certificate Problem With 2003 OWA

[bobo0605]

Hello,

I just upgraded from 2000 to 2003 exchange and i want to use ssl for OWA. I followed the directions on the link provided

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html.

However when i connect to OWA internally it works fine but when i connect from outside i get the following error in IE ( Untrusted Certificate was not issued by a Trusted CA )and ( Problem with website Certificate ). Any ideas would be appreciated.

Thanks

 

[N0ktar]

Yopu need to purchase a crtificate for the server or

http://support.microsoft.com/kb/931850

 

[scottew]

Or you could configure your own CA on your Win2k3 Server.

http://www.petri.co.il/configure_ssl_on_owa.htm

http://www.petri.co.il/install_windows_server_2003_ca.htm

http://www.petri.co.il/obtain_digital_certificate_from_online_ca.htm

 

[SteveRoadWarrior]

N0ktar and scottew deserve stars.
It's worth noting that you can also tell your copy of IE at home to trust the certificate. N0ktar is right, you should purchase a certificate from an online company or use your "self signed" certificate.

I've heard good things about (but not used):

http://www.rapidssl.com

We've had several clients use and like (cheap prices too):

http://www.godaddy.com

It actually sounds like you have two problems, both of them common. The first problem is that your remote PC doesn't trust the CA or "root certificate authority". The second problem is either a) that the name on the certificate doesn't match the name that was entered when the IIS server certificate was submitted or the problem is b) the certificate is expired. I'm going to guess that the problem is "a" - that the name doesn't match.

To fix the first problem, you should tell your web browser to start trusting the CA or root certificate authority. Basically, you tell your computer "from now on, if you see any certificates that are signed by MYSERVER, you can trust what he says". That's what certificates are based on, is trust. If you don't want to trust your CA server, then you should purchase an SSL certificate as noted above. Here's a good rule of thumb, if you are providing services for users under your administrative control (basically, users that work for your company), then it's ok to do the "self signed" certificate. You can roll some of it out via group policy. If you plan on providing SSL services to people that don't know your company or work for your company, you should purchase an SSL certificate from a company that everybody's web browsers already trust. As I said, godaddy.com is one of the cheaper ones out there, and we've been using it to get around Treo 700 SSL problems in Exchange.

To fix the second problem, you probably want to rerun your certificate wizard in IIS (web server for server 2003). Pay extra careful attention to the part that asks you what the computer name is. Use the name >> as seen from the outside <<. If you don't your certificate will be invalid. You'll be saying "my certificate is for owa.company.com" and your users' browser will be unhappy because they're connecting to "webmail.company.com". Just make sure the names match exactly. I've also been told that a way to deal with it is to use this convention "*.company.com" and that covers all bases. You may want to check it out, but if it's true gives you some flexibility.

Hope this helps.

 

[58sniper]

Keep in mind that if you're eventually going to use Windows Mobile devices, you're best off using a trusted cert like GoDaddy.com. Their certs are only $20 per year, so it's a worthwhile investment.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[lebisol]

second godaddy idea....very cheep very effective.
If anything, do it for the sake of 'remote/public pc users' whose PC may be infected and your

https://site.com

can be spoofed...especially since owa login page is very easy to repilicate.
just a thought


:--------------------------------------:

All around in my home town,
They tryin' to track me down...