[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Outlook Third Party Certificate is invalid or expired

Posted on 2014-01-14
Medium Priority
Last Modified: 2014-02-12
I have a lot to learn about certificates and hope I can learn here. The issue is with Outlook only on external networks connecting to SBS2008. When users open Outlook they are prompted with a Security warning stating that certificate is invalid or has expired. More details show that it has expired. We do not have an issue with RWW and I can see the cert.

It seems we are using two GoDaddy standard SSL certs and the one that Outlook tries to use is the one that recently expired. Issue didn't pop it's head until it expired. The other one installed on server is working for RWW/OWA only.

Services for the current cert are: IMAP, POP, IIS, SMTP

How can I get Outlook to use the cert that is current and already installed or is that not the issue?

I probably don't have enough info posted here but will answer anything I can.

Thanks for your help.
Question by:chtbi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39781014
Using the SSL wizard (http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx) import an existing certificate and choose the active GoDaddy cert.
Hope that helps,

Author Comment

ID: 39781062
That can't be the solution or I just don't understand. Probably the latter.

The GoDaddy cert is already listed as being used and is evident when I visit RWW/OWA. The Get-ExchangeCertificate command in Exchange shell shows that this cert is active for services IMAP, POP, IIS, SMTP. This tells be that it is active but isn't working for Outlook as it's still seeing the expired cert.
LVL 17

Expert Comment

ID: 39782137
Run the following commands from PowerShell (in bold) basically you're locating the cert currently used by it's thumbprint and replacing with the new cert.

Get-ExchangeCertificate -domain "domainname" | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
CertificateDomains : {computername, computername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=computername
NotAfter           : 2/16/2011 11:34:03 PM
NotBefore          : 2/16/2010 11:34:03 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 444FEF2E6F75B8864B86866DE2792FC2
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=computername
Thumbprint         : 2FB28F5075EFE9B30A8F8458DED0A19628D71F52

[PS] C:\Windows\System32>Get-ExchangeCertificate -thumbprint "2FB28F7055EFE9B30A
8F8458DED0A19628D71F52" | New-ExchangeCertificate

Overwrite existing default SMTP certificate,
'2FB28F5075EFE9B30A8F8458DED0A19628D71F52' (expires 2/16/2011 11:34:03 PM),
with certificate 'FB5AECA6B39816F02B3245BD1D95394A573E1F02' (expires 2/22/2012
8:29:16 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Thumbprint                                Services   Subject
----------                                --------   -------
FB5AECA6B39816F02B3245BD1D95394A573E1F02  .....      CN=computername

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 39783671
Thanks for reply works2011 but no resolve. It actually caused a small hiccup on RWW and Outlook http connection to Exchange but I ran the Add a trusted Cert wizard on SBS and now no issue with RWW or Outlook connection but I'm still getting the invalid or expired cert warning in Outlook.

Like I said before I want to use the GoDaddy cert RWW is using for Outlook http connection to Exchange.
LVL 17

Expert Comment

ID: 39784091
you can use the Go Daddy cert you have to remove the cert that is old, or at least enable to Go Daddy cert. It's not Outlook getting the wrong cert it's exchange handing off the wrong cert.

are you sure the FQDN is correct on the new cert?

Author Comment

ID: 39784374
Would FQDN be remote.domainname.com or servername.domainname.local? I can go to remote.domainname.com which is RWW and see the GoDaddy cert. Services for this cert are IMAP, POP, IIS, and SMTP.

It's not a new cert it's the cert that's been used for RWW for about two years.

The one that Exchange was issuing to Outlook over http is the one that has expired.

When you say enable it, isn't it already enabled (RWW) or do you mean enable it also for use with Outlook?

Thanks for your help on this. I just can't seem to get it.

Oh and there are 6 certs when I run Get-ExchangeCertificate | fl command. Do I need to remove those that have expired? Could this be part of the problem?
LVL 17

Expert Comment

ID: 39784463
enable it through power shell:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS

First you find the thumbprint then enable it.

Use the exact name on the one that expired.

Accepted Solution

chtbi earned 0 total points
ID: 39841596
Turns out that the website cert for domainname.com had expired. Evidently Outlook looks there and doesn't rely on cert that the SBS box has and uses for RWW.

Author Closing Comment

ID: 39852783
Explained in solution

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question