rpc over https certificate error
I have built my own Windows Server 2003 with Exchange 2003 and IIS 6.0
Now I have used selfssl to make my own certificate.
OWA works fine.
I have noticed that rpc over https won't work not I have discovered this website: https://www.testexchangeconnectivity.com/
ExRCA is testing RPC/HTTP connectivity.
This is the log file:
Any advice?
Solution 1:
You are having a problem because of the self-signed certificate. I would recommend purchasing a third party SSL certificate from somewhere inexpensive, such as Godaddy, and saving yourself many headaches.
If you want to continue to use self-signed certificates, you can; although you will have to import the self-signed certificate on every client machine / device as trusted ...
To import the certificate locally, this article seems to have the answer you are looking for:
http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html
Solution 2:
The problem is that you are using a self-signed SSL certificate. They will always fail SSL Validation tests unless you take specific steps. RPC over HTTPS is sensitive to this. In order to make it work, you will have to import that self-signed SSL certificate into your client machine and make it trusted.
Solution 3:
You have 2 options:
- Use a signed certificate (Godaddy offers them for ~ $30/year)
- Install the certificate in the OS of each client
Outlook requires a valid certification path in order for RPC over HTTP to function properly. SSL certs are cheap now-a-days. I'd recommend going down that path.
Solution 4:
Sounds like a little Public Key Infrastructure (PKI) information is needed here.
When you create a self-signed certificate, it just says "I am a valid cert, nobody trusts me."
When you get a certificate signed by, say, GoDaddy, the cert then says "I am a valid cert, GoDaddy trusts me". The signer here is called a Certificate Authority (CA)
Your browser has a list of certs that says "I trust these CAs to sign certificates", and one of those is GoDaddy. So, if I trust GoDaddy, and GoDaddy trusts you, then I trust you. However, as a webbrowser, I don't trust just anybody, just this list of CAs.
However, this list can be modified. If you set up your own CA (you trust it), and use that CA to sign a cert, then the cert says "I'm a valid cert, MyCA trusts me". Then you can add your CA to the webbrowser, so it says "I trust MyCA, MyCA vouches for this site, so everything is cool now."