• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 742
  • Last Modified:

Outlook Third Party Certificate is invalid or expired

Hello,
I have a lot to learn about certificates and hope I can learn here. The issue is with Outlook only on external networks connecting to SBS2008. When users open Outlook they are prompted with a Security warning stating that certificate is invalid or has expired. More details show that it has expired. We do not have an issue with RWW and I can see the cert.

It seems we are using two GoDaddy standard SSL certs and the one that Outlook tries to use is the one that recently expired. Issue didn't pop it's head until it expired. The other one installed on server is working for RWW/OWA only.

Services for the current cert are: IMAP, POP, IIS, SMTP

How can I get Outlook to use the cert that is current and already installed or is that not the issue?

I probably don't have enough info posted here but will answer anything I can.

Thanks for your help.
0
chtbi
Asked:
chtbi
  • 5
  • 3
1 Solution
 
Olaf De CeusterCommented:
Using the SSL wizard (http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx) import an existing certificate and choose the active GoDaddy cert.
Hope that helps,
Olaf
0
 
chtbiAuthor Commented:
That can't be the solution or I just don't understand. Probably the latter.

The GoDaddy cert is already listed as being used and is evident when I visit RWW/OWA. The Get-ExchangeCertificate command in Exchange shell shows that this cert is active for services IMAP, POP, IIS, SMTP. This tells be that it is active but isn't working for Outlook as it's still seeing the expired cert.
0
 
WORKS2011Austin Tech CompanyCommented:
Run the following commands from PowerShell (in bold) basically you're locating the cert currently used by it's thumbprint and replacing with the new cert.

Get-ExchangeCertificate -domain "domainname" | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {computername, computername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=computername
NotAfter           : 2/16/2011 11:34:03 PM
NotBefore          : 2/16/2010 11:34:03 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 444FEF2E6F75B8864B86866DE2792FC2
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=computername
Thumbprint         : 2FB28F5075EFE9B30A8F8458DED0A19628D71F52



[PS] C:\Windows\System32>Get-ExchangeCertificate -thumbprint "2FB28F7055EFE9B30A
8F8458DED0A19628D71F52" | New-ExchangeCertificate

Confirm
Overwrite existing default SMTP certificate,
'2FB28F5075EFE9B30A8F8458DED0A19628D71F52' (expires 2/16/2011 11:34:03 PM),
with certificate 'FB5AECA6B39816F02B3245BD1D95394A573E1F02' (expires 2/22/2012
8:29:16 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Thumbprint                                Services   Subject
----------                                --------   -------
FB5AECA6B39816F02B3245BD1D95394A573E1F02  .....      CN=computername


[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
chtbiAuthor Commented:
Thanks for reply works2011 but no resolve. It actually caused a small hiccup on RWW and Outlook http connection to Exchange but I ran the Add a trusted Cert wizard on SBS and now no issue with RWW or Outlook connection but I'm still getting the invalid or expired cert warning in Outlook.

Like I said before I want to use the GoDaddy cert RWW is using for Outlook http connection to Exchange.
0
 
WORKS2011Austin Tech CompanyCommented:
you can use the Go Daddy cert you have to remove the cert that is old, or at least enable to Go Daddy cert. It's not Outlook getting the wrong cert it's exchange handing off the wrong cert.

are you sure the FQDN is correct on the new cert?
0
 
chtbiAuthor Commented:
Would FQDN be remote.domainname.com or servername.domainname.local? I can go to remote.domainname.com which is RWW and see the GoDaddy cert. Services for this cert are IMAP, POP, IIS, and SMTP.

It's not a new cert it's the cert that's been used for RWW for about two years.

The one that Exchange was issuing to Outlook over http is the one that has expired.

When you say enable it, isn't it already enabled (RWW) or do you mean enable it also for use with Outlook?

Thanks for your help on this. I just can't seem to get it.

Oh and there are 6 certs when I run Get-ExchangeCertificate | fl command. Do I need to remove those that have expired? Could this be part of the problem?
0
 
WORKS2011Austin Tech CompanyCommented:
enable it through power shell:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS

First you find the thumbprint then enable it.

Use the exact name on the one that expired.
0
 
chtbiAuthor Commented:
Turns out that the website cert for domainname.com had expired. Evidently Outlook looks there and doesn't rely on cert that the SBS box has and uses for RWW.
0
 
chtbiAuthor Commented:
Explained in solution
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now