Further to my recent posts on setting up our Nokia E61i for use with Microsoft Exchange Server 2007 and troubles installing an SSL certificate via GoDaddy.com things have moved on a little, but not much…
Pulling my hair out with the certificate company’s support desk I noticed my Tech net card and realised I have two support incidents per year as part of my Tech net Subscription. Perhaps Microsoft could help?
Setting up the credits for the support incidents was quite frustrating as I spent some time playing what felt like an almost impossible game of Soduko on Microsoft automated telephone system. Press 3 then Press 5 Then Press 2 then Press 3, Then Press 2, Now I’m back to the start menu again. To utilise the two support incidents I need to get a support ‘contract’ and in order to get that I need an Access ID - the first guy on the phone wasn’t sure what an Access ID was but offered me a chargeable support call. No thanks. The next person was most helpful however as I had now found myself in contact with the Developer Team (even though I felt sure I pressed the right combination of buttons) there was little he could help with Exchange so I got transferred again. Fortunately, this time was better and the person was most helpful even though when I explained I needed an Access ID I was told that I didn’t have a support contact. "I know, that’s what I’m trying to get!". After the short interlude everything turned more positive and an email arrived in my inbox with my contract ID.
I went onto the online support incident logging system, logged in and hey presto. Shortly afterwards I got my first response from the support team - very impressive and for a change it looks like they had actually read what I had written. They even took the time to explain their understanding of my problem based on the information I had provided which was spot on, they then used Easy Assist to take remote control of my screen and check things on my system. The upshot being that I needed to resubmit my certificate application to the certificate company, which as it turned out had somehow cancelled my previous SSL certificate. This was most likely my fault as the myriad options on the Certificate screens were not very intuitive and I probably clicked something I wasn’t supposed to. Anyway, I asked the certificate company for help sorting this particular problem out and surprisingly they did which was a spot of luck.
After re-applying for a certificate we went through the installation procedure once more and everything seemed to be working better.
The import-exchangecertificate command went smoothly and I even learned a tip - that you can drag a file from explorer into the power shell window and it brings in the full path and filename to save having to type it.
The get-exchangecertificate command confirmed the import had succeeded and offered a thumbprint.
The next command enable-exchangecertificate -thumbnail XXYYZZ -services "iis,smtp,pop,imap" brought up a new option asking
"overwrite existing default SMTP certificate" which was promising. Confirming this and running the get-exchangecertificate command confirmed the new certificate was installed properly.
Checking IIS uncovered a new issue though - when clicking on the Default Web site, right clicking and selecting Properties, then Directory Security then View Certificate then Details showed that the Subject Alternative Name (SAN) section was showing only 2 DNS entries, the domain itself and the www followed by the domain. When requesting the certificate we had requested 7 names including autodiscover, outlook and the local machine name but these were missing from the received certificate. This was as far as the Microsoft support desk could go and I needed to re-approach the certificate company support desk.
I sent the support request off with all the details and explained that for our domain I had requested multiple names but only received 2 but the support desk reply talks about the need for me to reapply for a certificate to support multiple domains. I thought this was odd as 6 out of 7 of the names were in the same domain however the certificate company rightly pointed out that one of the common names was not in the domain (the local NETBIOS machine name which is recommended to be included) and that I should check with the software manufacturer as to whether a wildcard certificate or UCC certificate would be appropriate.
I sometimes wonder if I may be the first person in the world to try and install a certificate on an Exchange 2007 Server.
For information on the difference between a wildcard certificate and a standard SSL certificate see GoDaddy article What is the difference between an SSL certificate and a Wildcard SSL certificate?
1 response so far ↓
1 Robert // Dec 16, 2007 at 8:47 pm
The UC certificate is definitely required if you need to access it using a local NETBIOS name. I’d recommend this article for an overview of the process of installing a certificate on Exchange 2007:
http://blog.rimann.org/de/einzelansicht/archive/2007/november/07/exchange_2007_ssl_problem_solved/index.htm
Leave a Comment