Link to home
Start Free TrialLog in
Avatar of mark319
mark319

asked on

why am i getting a security certificate has expired or is not yet valid error when opening outlook 07 in an exchange 07 network?

We have an exchange 2007 server with clients connecting with outlook 2007.  last week out of the blue every user is getting a security alert asking if they still want to proceed when opening outlook.  the error is that the security certificate is expired or is not yet valid.  this setup has been running for about 1 year exactly with no issues.  does a certificate expire after a year?  the users can click yes and continue working but this error box has got to go.
Avatar of bmasincup
bmasincup
Flag of United States of America image
The exchange 2007 certificate is meant to be temporary until you can purchase one from an Internet Cert Provider as per
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

However, you can recreate a new self signed cert by following this article.
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx
Avatar of mark319
mark319

ASKER

is there a way for me just extend the existing certificate that has been running for a year?

where are these certificates at?
Avatar of bmasincup
bmasincup
Flag of United States of America image
Check the second link.  The first example is a cmdlet to create a new self signed cert.  Which is what you want to do.  
Avatar of vnoome
vnoome
I have had the same problem and found that updating my IIS certificate on the Exchange 2007 server solved the problem.
Avatar of mruxsaksriskul
mruxsaksriskul
Hello this might help if you have a self signed certificate which I believe Exchange 2007 creates on the first install. You just have to renew your certificate. You can get your current certificate thumbprint from the certificates MMC console.
Command to get certificate services and info. Thumbprint should be in  .
 U:\>Get-ExchangeCertificate -Thumbprint "e1 44 7c 52 69 f3 f4 72 7e a9 26 e
d e6 7f 10 e4 a4 e5 2f ed"
Output:
Thumbprint                                                  Services       Subject
----------                                                  --------             -------E1447C5269F3F4727EA926EDE67F10E4A4E52FED  SIPUW      CN=polarbear
You should note which services are enabled on the current certificate. I believe S=SMTP,I=IMAP,P=POP,U=Unified Messaging, W=IIS dont quote me on the exact service but those should be pretty close.
Command to clone and renew certificate
U:\>Get-ExchangeCertificate "e1 44 7c 52 69 f3 f4 72 7e a9 26 ed e6 7f 10 e
4 a4 e5 2f ed" | New-ExchangeCertificate
Output:
Thumbprint                                          Services   Subject
----------                                                  --------   -------
20C15A1BDAD79FC57848EE78AE7A88368912D468  .....      CN=polarbear

Notice there seems to be no services assigned to the above cert Ouput.
Rerun command to get certificate services and info.
 U:\>Get-ExchangeCertificate -Thumbprint "20 c1 5a 1b da d7 9f c5 78 48 ee 7
8 ae 7a 88 36 89 12 d4 68"


Output:
Thumbprint                                                  Services   Subject
----------                                                  --------   -------
20C15A1BDAD79FC57848EE78AE7A88368912D468  SIPU.      CN=polarbear

As you can see all default services were loaded with the exception of IIS.
Now enable the certificate with the below command you can specify which services to include in the certificate in this case I have all the certificates enabled on the new certificate.
U:\>Enable-ExchangeCertificate -Thumbprint "20 c1 5a 1b da d7 9f c5 78 48 e
e 78 ae 7a 88 36 89 12 d4 68" -Services "IMAP, POP, UM, IIS, SMTP"

Run the command again to get certificate services and info and verify its correct.
 U:\>Get-ExchangeCertificate -Thumbprint "20 c1 5a 1b da d7 9f c5 78 48 ee 7
8 ae 7a 88 36 89 12 d4 68"

Thumbprint                                                  Services   Subject
----------                                                  --------   -------
20C15A1BDAD79FC57848EE78AE7A88368912D468  SIPUW      CN=polarbear


ASKER CERTIFIED SOLUTION
Avatar of mruxsaksriskul
mruxsaksriskul
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of vnoome
vnoome
OK, so my certificate issue is fixed but that opened a whole new can of worms with Outlook 2007 and free/busy data!!!  After days and days of looking for info I am no closer to a solution.
And the articles on the web....some of them are good other are really bad!!!

I have tried just about every single one out there and checked and double check but I am still stuffed!!!!

I can see why some guys are really upset with MS!!!!!!!!!!!!!!
Avatar of mruxsaksriskul
mruxsaksriskul

Hey Vnoome,

I'm not sure what your particular setup is like but my originally posting was geared towards mark319 and to those who had an expired self signed certificate from Exchange 2007. I found another expert exchange link that might help:
 http://www.experts- exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22840374.html  
You might be better off opening a new problem for this other issue with your specific environment details. I hope you have success.

Avatar of jclissold
jclissold
Flag of United Kingdom of Great Britain and Northern Ireland image
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

Great link shows exactly how to renew your exchange 2007 cert in easy steps
Avatar of vnoome
vnoome
mruxsaksriskul thanks for the info....
I managed to get my exchange problem resolved.....
Outlook/Exchange/OCS all happy now...

Certificates plays a huge part in the entire integration!!!

Just seeing fun and games ahead with Vista on Certificate Services on Windows 2003......