Exchange Certificate Woes - The name on the security certificate is invalid or does not match the name of the site

Recently, I had to replace an expiring Exchange 2010 SSL certificate however the issuer was unable to sign for a .local hostname (although previously this had been OK).

This meant that the new certificate only covered the external FQDN and not the internal ones:

Note the old Cert has a .local address listed

New Cert doesn't have the .local!

Once the new certificate had been installed, users began to see this error in Outlook:

"The name on the security certificate is invalid or does not match the name of the site"

The fix was to change the Exchange server settings for local lookups to point to the FQDN (so instead of servername, it would point at mailhost.domain.com). Here are the steps to take:

1. Ping mailhost.domain.com and confirm it resolves to the local IP of your Exchange server, if it doesn't you need to add the appropriate DNS entries to your local DNS server before proceeding.

2. Open the Exchange Management Shell and run the following commands:

Set-ClientAccessServer -Identity servername -AutodiscoverServiceInternalUrl https://mailhost.domain.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "servername\EWS (Default Web Site)" -InternalUrl https://mailhost.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "servername\oab (Default Web Site)" -InternalUrl https://mailhost.domain.com/oab

3. Open IIS Manager on the Exchange Server

4. Expand Local Computer and Click Application Pools

5. Right Click on MSExchangeAutodiscoverAppPool and choose Recycle

Close and re-open your Outlook client and you should no longer have the errors