tashatuvango - Fotolia
How do I avoid Exchange security certificate issues?
Exchange SSL certificates keep communications secure, so it's important avoid the bargain bin when shopping for them.
You might think a free or inexpensive Exchange security certificate is a good idea. It's not.
Inexpensive or free Secure Sockets Layer (SSL) certificates might save on the bottom line, but they will cost you in other areas. If that certificate you got a deal on isn't working properly, then don't expect top tier support to correct it. Also, the point of an SSL certificate is security, which will be lacking without an investment with one of the more reputable dealers, such as RapidSSL and DigiCert. Hackers and malware will find a way around that low-cost SSL certificate or manipulate it to gain access to your servers.
You can check your SSL certificate status and rating on many websites. I use Qualys SSL Labs. It tells you about your cipher suites -- the group of algorithms that handle authentication and encryption -- and rates the certificate.
Stay on top of the SSL certificate expiration dates, and don't let them lapse. If you don't renew them, your users will get pop-ups when they open Outlook and when they log in to Outlook on the web. Some browsers might not let you access the website. Exchange will prompt you well in advance as a certificate's expiration date nears. A certificate check on SSL Labs or a similar site should also reveal that date.
Another thing to look out for is your SSL certificate chain. If you lock down your Exchange Server so it does not have access to the internet except for mail or user access, then you will also get an invalid certificate error message in Exchange. The same goes for your load balancer because it handles all traffic from the internet and is essentially your firewall. The SSL certificate needs to be kept up to date here to avoid a break in the chain.
It helps to stay on top of any news related to certificate changes to see if they affect your organization. In 2018, an issue with SSL certificates from Symantec resulted in Google requiring certificate holders to reissue their SSL certificates.
Dig Deeper on Windows Server OS and management
Related Q&A from Edward van Biljon
How do I avoid Exchange disk space issues?
Exchange Server log files tend to chew up a lot of space, particularly on the later versions. Here's how to keep the mail flowing when a hard drive ... Continue Reading
Why should I use Exchange Server maintenance mode?
When applying security updates or cumulative updates to Exchange Server, it's important to take your time and use maintenance mode to avoid ... Continue Reading
How should you handle Exchange Server updates?
Microsoft changed its release model after Exchange 2010, which has caused some confusion for administrators who work on newer versions of the ... Continue Reading