Forum

Sertifika problemi
 
Bildirimler
Hepsini Temizle

Sertifika problemi

5 Yazılar
3 Üyeler
0 Reactions
1,863 Görüntüleme
(@muratpektas)
Gönderiler: 164
Reputable Member
Konu başlatıcı
 

herkese selamlar, 2003 server kurulu dc.xxx.local isminde bir yapı mevcut.  mail exchange 2007 olup 2003 enterprise üzerine kurulu. event larda devamlı bir hata alıyordum.

"Microsoft Exchange couldn't find a certificate that contains the domain name mail.xxxx.com in the personal store on the local computer. Therefore, it is unable to support...."  olay no 12014.

 bunu düzeltmek için

 exchange powershell de 

New-ExchangeCertificate -DomainName mailsrv,mailsrv.xxx.local,mail.xxx.com,xxx.com,mail -SubjectName "dc=xxx,dc=com, cn=mail.xxx.com" -PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\CertRequest.req"

komutu ile yeni bir certifika talebinde bulunup CA da .cer dosyasını oluşturup import komutu ile exchange e import ettim, enable-exchangecertificate ile smpt,pop,imap,iis servisleri ile birlikte aktif edip eskisini remove-exchangecertificate komutu ile kaldırdım.

bu seferde kullanıcıların outlook 2007 lerinde mailsrv.xxx.local ile sertifika sorunu var diye hata aldım. ve ayrıca yukarıda ki hata "Microsoft Exchange couldn't find a certificate that contains the
domain name mailsrv.xxxx.local in the personal store on the local computer.
Therefore, it is unable to support...."  şeklinde oldu. tekrar dan yeni certifika yükledim aşağıda ki gibi... kullanıcıların sorunları çözüldü ama en üstteki hata tekrar dan çıkmaya başladı..

New-ExchangeCertificate -DomainName
mailsrv,mailsrv.xxx.local,mail.xxx.com,xxx.com,mail -SubjectName
"dc=xxx,dc=local, cn=mailsrv.xxx.local" -PrivateKeyExportable:$True
-GenerateRequest:$True -Path "C:\CertRequest.req"

 
Gönderildi : 25/05/2009 17:58

(@bugrakeskin)
Gönderiler: 5088
Illustrious Member
 

Merhaba


öncelikle


Get-ExchangeCertificate | fl thumbprint, services, fqdn, subject


komutu ile mevcut sertifikalara bakın,


Get-ExchangeCertificate -thumbprint "eski thumb ile xxxx.......xxxxxx" | New-ExchangeCertificate


komutu ile yeni certificate oluşturun


Enable-ExchangeCertificate -thumbprint "yeni thumb xxxx.......xxxxxx " -services POP3,SMTP


komutu ile sertifikayı enable edin


Remove-ExchangeCertificate -thumbprint " eski thumb xxxx.......xxxxxx "


komutu ilede eski sertifikayı silin.


sonrasında transport servisini restart etmeyi unutmayın


bu şekilde çözülmezse altta ki linki inceleyin tekrrar oluşturmayı deneyin sertifikayı


http://technet.microsoft.com/en-us/library/bb510128.aspx

 
Gönderildi : 25/05/2009 18:25

(@muratpektas)
Gönderiler: 164
Reputable Member
Konu başlatıcı
 

 Get-ExchangeCertificate | fl thumbprint, services, fqdn, subject komutu ile aşağıdaki sonuç çıkıyor.

Thumbprint : 62...........................
Services   : IMAP, POP, IIS, SMTP
Subject    : CN=mailsrv.xxx.local, DC=local, DC=xxx

 exchange de tek sertifika var. transport servicesini restart edince mail.xxx.com ile mailsrv.xxx.local için aynı hatayı veriyor. cevabınızda eski ve yeni thumb belirtmişsiniz ama bende tek sertifika var.

ayrıca verdiğiniz link teki komutlar şöyle;

---------------------------------------------------------------------------------------------------------------

[PS] C:\Documents and Settings\mailsrv>Get-ReceiveConnector | FL name, fqdn, objectClass

Name          : Default MAILSRV
Fqdn           : mailsrv.xxx.local
ObjectClass : {top, msExchSmtpReceiveConnector}

Name         : Client MAILSRV
Fqdn          : mailsrv.xxx.local
ObjectClass : {top, msExchSmtpReceiveConnector}

Name          : receivemail
Fqdn           : mail.xxx.com
ObjectClass : {top, msExchSmtpReceiveConnector}

 -----------------------------------------------------------------------------------------------

[PS] C:\Documents and Settings\mailsrv>Get-SendConnector | FL name, fqdn, objectClass

Name             : outmail
Fqdn              : mail.xxx.com
ObjectClass    : {top, msExchConnector, mailGateway, msExchRoutingSMTPConnector}

------------------------------------------------------------------------------------------------------

 
Gönderildi : 25/05/2009 20:41

(@bugrakeskin)
Gönderiler: 5088
Illustrious Member
 

Tekrar Merhaba,

Sunucuların birinde CA ( Certificate Authority ) kurulu mu?

Eğer kurulu değilse kurun ve FQDN adresini ( yani full domain name ) doğru yazın bu hata  genelde FQDN yalnış ve eksik olmasından çıkıyor.

kurduktan sonra;

bütün sertifikaları silin

Exchange management shellde

New-ExchangeCertificate -DomainName exchangeserverismi,exchangeserverismi.domainname.com,mail.domainismi.com,domainismi.com,domainismi.com,mail -SubjectName "o=cozumpark, cn=mail.domainismi.com" -PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\certrequest.req"

yazın c sürücüsüne certrequest.req diye bir dosya oluşacak

sonra certsrv giriyoruz; http://certmakineismi/certsrv

advanced certificate request --> submit a certificate request by.... --> burada browse deyip certrequest.req dosyaısnı gösterin, certificate template altında webserver ı seçin --> submit..

download certificate ve download certificate chain ekranında sertifikayı c sürücüsü altına download edin.

sonra exchange management sheel de

Import-ExchangeCertificate -Path "C:\certnew.cer" –FriendlyName "Exchange Certificate" yazarak import edin

ardından alttaki komut ile sertifikayı enable yapın

Enable-ExchangeCertificate -thumbprint <6xxxxxxx...xxxx.......> -Services:"POP,SMTP,IMAP,IIS"

tek sertifika bu kalsın problemsin çalışıcaktır

unutmadan yeni sertifikayı client lara ( trusted root certification authorities store'una) yüklemeniz gerek. bunu policy ile de yapabilirsiniz.

 

 
Gönderildi : 26/05/2009 13:03

(@cozumpark)
Gönderiler: 16307
Illustrious Member Yönetici
 

merhabalar


Step 1: Obtain an SSL certificate


There are three ways to obtain a Secure Sockets Layer (SSL) certificate:


- Option 1: Use the self-signed SSL certificate that Exchange 2007 installs by default. Use of the self-signed certificate is not supported by Outlook Anywhere or the offline address book.


- Option 2: Purchase an SSL certificate from a well-known certification authority (CA).


- Option 3: Obtain an SSL certificate from a Windows PKI certification authority.


If you choose Option 1, skip steps 2 and 3 and go straight to step 4.


If you choose Option 2 or Option 3, go straight to step 2.


Note: For all three options, Exchange ActiveSync will require the device to have a copy of the SSL certificate installed in the Trusted Root Certificate Store.


Step 2: Generate and submit the certificate request


Create a new certificate request for Secure Sockets Layer (SSL) services.


1. Open the Exchange Management Shell.


2. Run the following command, replacing domainname and friendlyname with your domain name and display name: New-ExchangeCertificate -GenerateRequest -domainname mail.mumincicek.com,autodiscover.mumincicek.com,dc2008,dc2008.mumincicek.com  -FriendlyName mail.mumincicek.com -privatekeyexportable:$true -path c:\sertifika\certser.txt


Note: "DomainName" is used to populate one or more domain names (FQDNs) or server names in the resulting certificate request.


Note: "FriendlyName" is used to specify a display name for the resulting certificate. The display name must be fewer than 64 characters.


3. Submit the request to the certification authority and have the CA generate the certificate.


Step 3: Enable the certificate on the Default Web site


After your certificate has been generated, you must import it and then enable the certificate on the Default Web site.


From the computer where step 2 was run, import the certificate. To import the certificate, do the following:


1. Open the Exchange Management Shell.


2. Run the following command. Import-ExchangeCertificate -path c:\sertifika\certt.cer


Note: "c:\sertifika\certt.cer" is the location and name of your certificate.


Copy the thumbprint of the certificate, which is the digest of the certificate data, to the clipboard by doing the following:


1. Open the Exchange Management Shell.


2. Run the following command: dir cert:\LocalMachine\My | fl


3. Locate the certificate that you just imported by finding the one that matches FriendlyName from step 2. Then copy the Thumbprint property of that certificate to the Windows Clipboard.


Enable the certificate on the Default Web site by doing the following:


1. Open the Exchange Management Shell.


2. Run the following command: enable-ExchangeCertificate -thumbprint <value copied to the Clipboard> -services "IIS,IMAP,POP"


3. Using the "enable-ExchangeCertificate" cmdlet will update the certificate mapping, replacing the self-signed certificate that is installed by default with Exchange 2007 and configured in IIS, IMAP4, POP3.


Step 4: Require the Client Access server virtual directories to use SSL


By default, the Default Web site in IIS is configured to require SSL for all virtual directories except the offline address book virtual directory. However, you can configure additional virtual directories for each Client Access feature. You must confirm that each virtual directory is configured to require SSL. The Client Access virtual directories are as follows:


- Outlook Web Access 2007 virtual directory:  owa


- Outlook Web Access 2003 and WebDAV virtual directories: exchange and public


- Exchange ActiveSync virtual directory: Microsoft-Server-ActiveSync


- Outlook Anywhere virtual directory: Rpc


- Autodiscover virtual directory: Autodiscover


- Exchange Web Services virtual directory: EWS


- Unified Messaging virtual directory: Unified Messaging


- Offline Address Book virtual directory: OAB


For each of the Client Access virtual directories that you will use, open Internet Information Services (IIS) Manager, and follow these steps:


1. Under Default Web site, select the virtual directory that you want, for example, "owa".


2. Right-click the virtual directory, and then click "Properties".


3. Click the "Directory Security" tab.


4. In the "Secure Communications" section, click "Edit".


5. In the "Secure Communications" dialog box, make sure that both the "Require secure channel (SSL)" check box and the "Require 128-bit encryption" check box are selected.


6. Click "OK" to save your changes.


7. Restart the POP3 and IMAP4 services by opening the Services Windows administrative tool, selecting "Microsoft Exchange POP3" or "Microsoft Exchange IMAP4", right-clicking the name of the service, and then clicking "Restart". IIS does not have to be restarted.


kolay gelsin

 
Gönderildi : 26/05/2009 21:27

Paylaş: