Exchange 2003 Certificate Issue for Coexistence

Exchange Server 2003.

Yes, that Exchange Server product.

Corporations still have this messaging platform installed because it is as stable a platform for email as when it arrived over 10 years ago. However, now that support is over, you might be preparing to move to Exchange Server 2010 or 2013**? Perhaps you want to take advantage of Database Availability Groups (DAGs), Mobile Device Quarantine, etc? If you do, you need to be aware of some SSL certificate considerations for coexistence.

Name space
For coexistence with Exchange 2010 should have at least three names on the certificate, a significant increase for most Exchange Server 2003 installations:

  • AutoDiscover –> For Exchange 2010 AutoDiscover services
  • Legacy –> Exchange 2003 namespace for coexistence
  • Mail –> Exchange 2010 namespace for coexistence

Certificate Encryption
SHA1 is supported by default.
SHA2+ is not supported even with Windows Server 2003 SP2+ installed on your Exchange server.

The Client’s Issue
While preparing for coexistence with Exchange 2003/2010 we created a new certificate with all three namespaces as mentioned above. The cliet’s issue became apparent after the certificate using a CSR that was created on the Exchange 2010 server, request a certificate using default encryption settings from a public CA, and install the certificate on Exchange 2010 and 2003. On Exchange 2010, the Exchange certificate had installed correctly. On Exchange 2003, there were some errors. Here is a comparison of how the certificate appears on both servers:

Exchange 2010 Exchange 2003
EX2010-SHA2-01 W2k3-SHA2-01
EX2010-SHA2-02 W2k3-SHA2-02

Notice on the Exchange 2003 Server that one error is “The integrity of this certificate cannot be guaranteed.” and the other error is “This certificate has a nonvalid digital signature.”. Testing OWA and ActiveSync connections either fail or bring up a certificate problem in the browser.

The Fix
If you experience this issue, the fix is simple, but requires a server reboot. Install the hotfix found in KB968730. After the hotfix is installed and the server is rebooted, the certificate is now valid and useable for your Exchange 2003 to 2010/3** migration.

** NOTES **
Exchange 2003 to 2013 is not a direct upgrade and requires and interim migration to Exchange 2010 to facilitate.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s