Certificate is invalid


We're running EBS2008, consisting of 2 Exchange Servers (one HUB server & one Edge server).
On the HUB Server we were receiving the message "an internal transport certificate will expire soon" in eventviewer. To get rid of certificate warnings (in OWA, eventviewer etc.) once and for all I decided to buy a commercial UCC certificate at DomainsForExchange.net.

I downloaded the certificate
Installed it using Import-ExchangeCertificate
Tried Enabling it but got an error about private key
Ran certutil -repairstore to fix the private key thing
Enabled the certificate with SMTP IIS POP & IMAP active

So far so good
Now Get-ExchangeCertificate | FL tells me the certificate is not valid and rootCA is unknown. See below for the exact status msg.

So basically, What in the wonderful world of quantum mechanics and exchange certificates is it now ?

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
CertificateDomains : {mail.mydomain.com, www.mail.mydomain.com, mai
                     l2.mydomain.com, autodiscover.mydomain.com, ma
                     ilserv.mydomain.com, mailserv.mydomain.local,
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=********, CN=Starfield Secure Certification A
                     uthority, OU=http://certificates.starfieldtech.com/reposit
                     ory, O="Starfield Technologies, Inc.", L=Scottsdale, S=Ari
                     zona, C=US
NotAfter           : 27/04/2013 15:22:05
NotBefore          : 27/04/2010 15:22:05
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 0466A70030F273
Services           : IMAP, POP, IIS, SMTP
Status             : Invalid
Subject            : CN=mail.mydomain.com, OU=Domain Control Validated, O
Thumbprint         : ************************************
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shreedhar EtteCommented:

Have you installed the intermittent certificates of the certificate provider on the server.

If not install them to fix this issue.

Hope this helps,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vindenAuthor Commented:
I followed a procedure called "to install intermediate certificate bundles" that was supplied by the vendor (it involved importing the .cer file).
In certificates mmc I see the certificate listed under "intermediate certificate authorities".

So I think that's ok already.
BusbarSolutions ArchitectCommented:
do you see a key in the certificate icon, this means that you have the private key of the certificate, also you can verify that by double clicking on the certificate you will find a line that says you have the private key of the certificate, I believe that you don't have the key.
follow your provider's instrcution to re-key the certificate and download the certificate with the private key
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

vindenAuthor Commented:
It says "You have a private key that corresponds to this certificate". And the icon does show a key.

In certificates mmc I really don't see anything unusual. It's only when I use Get-Exchangecertificate that it's says invalid & unknown.
vindenAuthor Commented:
The issue is now resolved.

Apparently I didn't install the intermediate certificate correctly. I was sent 2 files by the certificate vendor. A .cer file and a p7b file. I made the mistake of importing the cer file in intermediate certificates rather than the p7b file.
It is now corrected and solved.

Thanks shreedhar.

vindenAuthor Commented:
Turned out I did not correctly import the intermediate certificate authority.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.