Link to home
Start Free TrialLog in
Avatar of chtbi

asked on

Outlook Third Party Certificate is invalid or expired

I have a lot to learn about certificates and hope I can learn here. The issue is with Outlook only on external networks connecting to SBS2008. When users open Outlook they are prompted with a Security warning stating that certificate is invalid or has expired. More details show that it has expired. We do not have an issue with RWW and I can see the cert.

It seems we are using two GoDaddy standard SSL certs and the one that Outlook tries to use is the one that recently expired. Issue didn't pop it's head until it expired. The other one installed on server is working for RWW/OWA only.

Services for the current cert are: IMAP, POP, IIS, SMTP

How can I get Outlook to use the cert that is current and already installed or is that not the issue?

I probably don't have enough info posted here but will answer anything I can.

Thanks for your help.
Avatar of Olaf De Ceuster
Olaf De Ceuster
Flag of Australia image

Using the SSL wizard ( import an existing certificate and choose the active GoDaddy cert.
Hope that helps,
Avatar of chtbi


That can't be the solution or I just don't understand. Probably the latter.

The GoDaddy cert is already listed as being used and is evident when I visit RWW/OWA. The Get-ExchangeCertificate command in Exchange shell shows that this cert is active for services IMAP, POP, IIS, SMTP. This tells be that it is active but isn't working for Outlook as it's still seeing the expired cert.
Run the following commands from PowerShell (in bold) basically you're locating the cert currently used by it's thumbprint and replacing with the new cert.

Get-ExchangeCertificate -domain "domainname" | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
CertificateDomains : {computername, computername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=computername
NotAfter           : 2/16/2011 11:34:03 PM
NotBefore          : 2/16/2010 11:34:03 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 444FEF2E6F75B8864B86866DE2792FC2
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=computername
Thumbprint         : 2FB28F5075EFE9B30A8F8458DED0A19628D71F52

[PS] C:\Windows\System32>Get-ExchangeCertificate -thumbprint "2FB28F7055EFE9B30A
8F8458DED0A19628D71F52" | New-ExchangeCertificate

Overwrite existing default SMTP certificate,
'2FB28F5075EFE9B30A8F8458DED0A19628D71F52' (expires 2/16/2011 11:34:03 PM),
with certificate 'FB5AECA6B39816F02B3245BD1D95394A573E1F02' (expires 2/22/2012
8:29:16 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Thumbprint                                Services   Subject
----------                                --------   -------
FB5AECA6B39816F02B3245BD1D95394A573E1F02  .....      CN=computername

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS
Avatar of chtbi


Thanks for reply works2011 but no resolve. It actually caused a small hiccup on RWW and Outlook http connection to Exchange but I ran the Add a trusted Cert wizard on SBS and now no issue with RWW or Outlook connection but I'm still getting the invalid or expired cert warning in Outlook.

Like I said before I want to use the GoDaddy cert RWW is using for Outlook http connection to Exchange.
you can use the Go Daddy cert you have to remove the cert that is old, or at least enable to Go Daddy cert. It's not Outlook getting the wrong cert it's exchange handing off the wrong cert.

are you sure the FQDN is correct on the new cert?
Avatar of chtbi


Would FQDN be or servername.domainname.local? I can go to which is RWW and see the GoDaddy cert. Services for this cert are IMAP, POP, IIS, and SMTP.

It's not a new cert it's the cert that's been used for RWW for about two years.

The one that Exchange was issuing to Outlook over http is the one that has expired.

When you say enable it, isn't it already enabled (RWW) or do you mean enable it also for use with Outlook?

Thanks for your help on this. I just can't seem to get it.

Oh and there are 6 certs when I run Get-ExchangeCertificate | fl command. Do I need to remove those that have expired? Could this be part of the problem?
enable it through power shell:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS

First you find the thumbprint then enable it.

Use the exact name on the one that expired.
Avatar of chtbi

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of chtbi


Explained in solution