Certificate warning when using a self-signed Exchange certficate and Outlook 2010
As some of us are aware and as stated in the Exchange 2007 Autodisover Service whitepaper (more specifically the “Autodiscover and Certificates” section) for a certificate to be considered valid, it must have the following criteria for the Autodiscover service:
- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.
However for domain-joined Outlook 2007 clients were designed to ignore the first validity check. This meant that we wouldn’t get any certificate errors in Outlook 2007 even though a self-signed certificate (created by Exchange 2007 setup) was used.
With Outlook 2010 this is no longer the case. You see with Outlook 2010 the Outlook team decided that the default behavior should be that Outlook always warn the end user if a self-signed certificate is used.
What does this mean to you? Probably not much since it’s always recommended to use certificates issued by your internal PKI or a public certificate authority. Anyway this is good to know in case you end up in a situation where you see Outlook 2007 and Outlook 2010 behavior is different when it comes to deployments where Exchange 2007 or 2010 uses self-signed certificates.
MCM: Exchange 2007 | MVP: Exchange Architecture