Solved

Outlook Third Party Certificate is invalid or expired

Posted on 2014-01-14
9
714 Views
Last Modified: 2014-02-12
Hello,
I have a lot to learn about certificates and hope I can learn here. The issue is with Outlook only on external networks connecting to SBS2008. When users open Outlook they are prompted with a Security warning stating that certificate is invalid or has expired. More details show that it has expired. We do not have an issue with RWW and I can see the cert.

It seems we are using two GoDaddy standard SSL certs and the one that Outlook tries to use is the one that recently expired. Issue didn't pop it's head until it expired. The other one installed on server is working for RWW/OWA only.

Services for the current cert are: IMAP, POP, IIS, SMTP

How can I get Outlook to use the cert that is current and already installed or is that not the issue?

I probably don't have enough info posted here but will answer anything I can.

Thanks for your help.
0
Comment
Question by:chtbi
  • 5
  • 3
9 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
Comment Utility
Using the SSL wizard (http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx) import an existing certificate and choose the active GoDaddy cert.
Hope that helps,
Olaf
0
 

Author Comment

by:chtbi
Comment Utility
That can't be the solution or I just don't understand. Probably the latter.

The GoDaddy cert is already listed as being used and is evident when I visit RWW/OWA. The Get-ExchangeCertificate command in Exchange shell shows that this cert is active for services IMAP, POP, IIS, SMTP. This tells be that it is active but isn't working for Outlook as it's still seeing the expired cert.
0
 
LVL 17

Expert Comment

by:WORKS2011
Comment Utility
Run the following commands from PowerShell (in bold) basically you're locating the cert currently used by it's thumbprint and replacing with the new cert.

Get-ExchangeCertificate -domain "domainname" | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {computername, computername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=computername
NotAfter           : 2/16/2011 11:34:03 PM
NotBefore          : 2/16/2010 11:34:03 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 444FEF2E6F75B8864B86866DE2792FC2
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=computername
Thumbprint         : 2FB28F5075EFE9B30A8F8458DED0A19628D71F52



[PS] C:\Windows\System32>Get-ExchangeCertificate -thumbprint "2FB28F7055EFE9B30A
8F8458DED0A19628D71F52" | New-ExchangeCertificate

Confirm
Overwrite existing default SMTP certificate,
'2FB28F5075EFE9B30A8F8458DED0A19628D71F52' (expires 2/16/2011 11:34:03 PM),
with certificate 'FB5AECA6B39816F02B3245BD1D95394A573E1F02' (expires 2/22/2012
8:29:16 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Thumbprint                                Services   Subject
----------                                --------   -------
FB5AECA6B39816F02B3245BD1D95394A573E1F02  .....      CN=computername


[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS
0
 

Author Comment

by:chtbi
Comment Utility
Thanks for reply works2011 but no resolve. It actually caused a small hiccup on RWW and Outlook http connection to Exchange but I ran the Add a trusted Cert wizard on SBS and now no issue with RWW or Outlook connection but I'm still getting the invalid or expired cert warning in Outlook.

Like I said before I want to use the GoDaddy cert RWW is using for Outlook http connection to Exchange.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 17

Expert Comment

by:WORKS2011
Comment Utility
you can use the Go Daddy cert you have to remove the cert that is old, or at least enable to Go Daddy cert. It's not Outlook getting the wrong cert it's exchange handing off the wrong cert.

are you sure the FQDN is correct on the new cert?
0
 

Author Comment

by:chtbi
Comment Utility
Would FQDN be remote.domainname.com or servername.domainname.local? I can go to remote.domainname.com which is RWW and see the GoDaddy cert. Services for this cert are IMAP, POP, IIS, and SMTP.

It's not a new cert it's the cert that's been used for RWW for about two years.

The one that Exchange was issuing to Outlook over http is the one that has expired.

When you say enable it, isn't it already enabled (RWW) or do you mean enable it also for use with Outlook?

Thanks for your help on this. I just can't seem to get it.

Oh and there are 6 certs when I run Get-ExchangeCertificate | fl command. Do I need to remove those that have expired? Could this be part of the problem?
0
 
LVL 17

Expert Comment

by:WORKS2011
Comment Utility
enable it through power shell:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -thumbprint "FB5AECA6B39816F
02B3245BD1D95394A573E1F02" -services IIS

First you find the thumbprint then enable it.

Use the exact name on the one that expired.
0
 

Accepted Solution

by:
chtbi earned 0 total points
Comment Utility
Turns out that the website cert for domainname.com had expired. Evidently Outlook looks there and doesn't rely on cert that the SBS box has and uses for RWW.
0
 

Author Closing Comment

by:chtbi
Comment Utility
Explained in solution
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Outlook Free & Paid Tools
If you don't know how to downgrade, my instructions below should be helpful.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now