로그인
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
Problem with certificate renewal

잠김 Problem with certificate renewal

  • 2009년 4월 6일 월요일 오전 9:49
     
     
    로그인하여 투표
    0
    Hi,

    I've an OCS2007 Std Ed. integrated with Exchange2007SP1. Until last week all worked fine, but the certificates used for TLS authentication between OCS and UM Server has expired.

    I've installed my own Enterprise CA (W2003) and I ask for a couple of new certificates, I've installed then on OCS an UM Server, then I configured in OCS the new certificate and in Exchange UM Server with Import-ExchangeCertificate and Enable-ExchangeCertificate but...

    Now TLS tunnel is not established, the Error ID is 14428 and the Cathegory is (1001). In the error description  says:
    "TLS outgoing connection failures.

    Over the past 0 minutes Office Communications Server has experienced TLS
    outgoing connection failures 1 time(s). The error code of the last failure is
    0x80090322 (The target principal name is incorrect.) while trying to connect
    to the host "minerva.umdemo.local".
    Cause: Wrong principal error could happen if the peer presents a certificate
    whose subject name does not match the peer name. Certificate root not trusted
    error could happen if the peer certificate was issued by remote CA that is
    not trusted by the local machine.
    Resolution:
    For untrusted root errors, ensure that the remote CA certificate chain is
    installed locally. If you have already installed the remote CA certificate
    chain, then try rebooting the computer.


    and other error:

     

    A significant number of invalid certificates have been provided by remote IP address 192.168.30.13 when attempting to establish an MTLS peer. There have been 31 such failures in the last 61 minutes.

    Certificate Names associated with this peer were

    EXCNGE01-ENS.domain.local

    The serial number of this certificate is

    xxxxxxxxxxxxx.

    The issuer of this certificate is umdemoCA


    Any idea what's happening?

    Thanks in advance
       

    모든 응답

    • 2009년 4월 6일 월요일 오후 12:53
      중재자
       
       
      로그인하여 투표
      0
      Alberto,

      Can you clarify whether or not the OCS FE server's FQDN does match that of the new certificate's SN field?  Also were the original certificates from the same internal Enterprise CA or were the original certs from a different CA?
      Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
         
      • 2009년 4월 6일 월요일 오후 4:47
         
         
        로그인하여 투표
        0
        Hi Jeff,

        In both cases (OCS Server and Exchange UM Server) the CN field (you typed SN is it correct?) match exactly the FQDN and I'm using the original CA to issue the new certificates to servers.

        OCS is installed in Integrated topology and Exchange is installed in 2 server, one for CAS, Hub and Mailbox and another for UM Server. Exchange 2007 is working OK, I can send and received mails, and in OCS I can use IM also OK

        Thanks in advance