Exchange Certificate Woes - The name on the security certificate is invalid or does not match the name of the site

Recently, I had to replace an expiring Exchange 2010 SSL certificate however the issuer was unable to sign for a .local hostname (although previously this had been OK).

This meant that the new certificate only covered the external FQDN and not the internal ones:

Note the old Cert has a .local address listed

New Cert doesn't have the .local!

Once the new certificate had been installed, users began to see this error in Outlook:

"The name on the security certificate is invalid or does not match the name of the site"

The fix was to change the Exchange server settings for local lookups to point to the FQDN (so instead of servername, it would point at mailhost.domain.com). Here are the steps to take:

1. Ping mailhost.domain.com and confirm it resolves to the local IP of your Exchange server, if it doesn't you need to add the appropriate DNS entries to your local DNS server before proceeding.

2. Open the Exchange Management Shell and run the following commands:

Set-ClientAccessServer -Identity servername -AutodiscoverServiceInternalUrl https://mailhost.domain.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "servername\EWS (Default Web Site)" -InternalUrl https://mailhost.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "servername\oab (Default Web Site)" -InternalUrl https://mailhost.domain.com/oab

3. Open IIS Manager on the Exchange Server

4. Expand Local Computer and Click Application Pools

5. Right Click on MSExchangeAutodiscoverAppPool and choose Recycle

Close and re-open your Outlook client and you should no longer have the errors   

Citrix Error 61 on Mac

Recently, one of our clients updated the SSL certificate for their Citrix remote access website. This proved to be quite an issue for users with Macs running the Citrix Reciever, which didn't want to play ball. Generating the error message SSL Error 61: You have not chosen to trust "<authority>", the issuer of the server's security certificate. Error number 183  when they tried to launch an application.

Doing what all IT Professionals do best, I googled it. Unfortunately, the majority of the results referred to different scenarios, mostly under older versions of the Citrix client (The dreaded ICA!).

After a very long afternoon of back and forth with one of the affected users, I was able to get things working by taking these steps:

1. On a PC, browse to the problem Citrix website with Internet Explorer
2. Open Tools >> Internet Options >> Content >> Certificates >> Intermediate Certification Authorities
3. Find the name of the cert in the error message (Above) and click on it and click Export
4. Click Next >> Select DER encoded Binary X.509 (.CER) >> Next
5. Save as the same name as the original error message. (e.g. COMODO SSL CA) and Finish the wizard
6. Rename the saved file extension to crt and transfer this file to the Mac
7. On the Mac, open Applications/Citrix ICA Client and create a folder called keystore
8. Open the keystore folder and create a subfolder called cacerts
9. Copy the crt file you created into this folder
10. Open Keychain and click logon from the left pane
11. Choose File>>Import items
12. Browse to the crt file and import. Set all permissions to trusted for the certificate
13. Close browser completely and re-open, browse to problem page and open an application, it should now load successfully
 
That's right, you use a PC to fix the Mac. Good Times...