Solved

Outlook Third Party Certificate is invalid or expired

Posted on 2014-01-14
9
732 Views
Last Modified: 2014-02-12
Hello,
I have a lot to learn about certificates and hope I can learn here. The issue is with Outlook only on external networks connecting to SBS2008. When users open Outlook they are prompted with a Security warning stating that certificate is invalid or has expired. More details show that it has expired. We do not have an issue with RWW and I can see the cert.

It seems we are using two GoDaddy standard SSL certs and the one that Outlook tries to use is the one that recently expired. Issue didn't pop it's head until it expired. The other one installed on server is working for RWW/OWA only.

Services for the current cert are: IMAP, POP, IIS, SMTP

How can I get Outlook to use the cert that is current and already installed or is that not the issue?

I probably don't have enough info posted here but will answer anything I can.

Thanks for your help.
0
Comment
Question by:chtbi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39781014
Using the SSL wizard (http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx) import an existing certificate and choose the active GoDaddy cert.
Hope that helps,
Olaf
0
 

Author Comment

by:chtbi
ID: 39781062
That can't be the solution or I just don't understand. Probably the latter.

The GoDaddy cert is already listed as being used and is evident when I visit RWW/OWA. The Get-ExchangeCertificate command in Exchange shell shows that this cert is active for services IMAP, POP, IIS, SMTP. This tells be that it is active but isn't working for Outlook as it's still seeing the expired cert.
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39782137
Run the following commands from PowerShell (in bold) basically you're locating the cert currently used by it's thumbprint and replacing with the new cert.

Get-ExchangeCertificate -domain "domainname" | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {computername, computername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=computername
NotAfter           : 2/16/2011 11:34:03 PM
NotBefore          : 2/16/2010 11:34:03 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 444FEF2E6F75B8864B86866DE2792FC2
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=computername
Thumbprint         : 2FB28F5075EFE9B30A8F8458DED0A19628D71F52



[PS] C:\Windows\System32>Get-ExchangeCertificate -thumbprint "2FB28F7055EFE9B30A
8F8458DED0A19628D71F52" | New-ExchangeCertificate

Confirm
Overwrite existing default SMTP certificate,
'2FB28F5075EFE9B30A8F8458DED0A19628D71F52' (expires 2/16/2011 11:34:03 PM),
with certificate 'FB5AECA6B39816F02B3245BD1D95394A573E1F02' (expires 2/22/2012
8:29:16 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Thumbprint                                Services   Subject
----------                                --------   -------
FB5AECA6B39816F02B3245BD1D95394A573E1F02  .....      CN=computername


[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 

Author Comment

by:chtbi
ID: 39783671
Thanks for reply works2011 but no resolve. It actually caused a small hiccup on RWW and Outlook http connection to Exchange but I ran the Add a trusted Cert wizard on SBS and now no issue with RWW or Outlook connection but I'm still getting the invalid or expired cert warning in Outlook.

Like I said before I want to use the GoDaddy cert RWW is using for Outlook http connection to Exchange.
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39784091
you can use the Go Daddy cert you have to remove the cert that is old, or at least enable to Go Daddy cert. It's not Outlook getting the wrong cert it's exchange handing off the wrong cert.

are you sure the FQDN is correct on the new cert?
0
 

Author Comment

by:chtbi
ID: 39784374
Would FQDN be remote.domainname.com or servername.domainname.local? I can go to remote.domainname.com which is RWW and see the GoDaddy cert. Services for this cert are IMAP, POP, IIS, and SMTP.

It's not a new cert it's the cert that's been used for RWW for about two years.

The one that Exchange was issuing to Outlook over http is the one that has expired.

When you say enable it, isn't it already enabled (RWW) or do you mean enable it also for use with Outlook?

Thanks for your help on this. I just can't seem to get it.

Oh and there are 6 certs when I run Get-ExchangeCertificate | fl command. Do I need to remove those that have expired? Could this be part of the problem?
0
 
LVL 17

Expert Comment

by:WORKS2011
ID: 39784463
enable it through power shell:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS

First you find the thumbprint then enable it.

Use the exact name on the one that expired.
0
 

Accepted Solution

by:
chtbi earned 0 total points
ID: 39841596
Turns out that the website cert for domainname.com had expired. Evidently Outlook looks there and doesn't rely on cert that the SBS box has and uses for RWW.
0
 

Author Closing Comment

by:chtbi
ID: 39852783
Explained in solution
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question