Get "Security Alert" popup on W7 workstations after updating the "self-signed certificate"

Posted on 2015-01-08
Last Modified: 2015-01-14
I have an SBS2008 server
-      From the SBS2008 console, The leaf security shows (it expires 1/13/2014.
-   I Reissued “self-issued certificate” in advance by running the “Fix My Network” wizard. Reissued successfully. It’s now good for another two years.
-      However now After the certificate was renewed, a message pops up on all Outlook users indicating a “Security Alert” basically asking to trust the certificate.
-   the message shows a red x that says: the security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority"
-   I re-installed it on the server and it still pops up on the workstations.
-      So I reinstalled the original certificate and from the SBS2008 console and the message no longer pops up.

Need to understand why updating in advance does not play well.
-      Am I missing a step?
-      Do I need to wait till it actually expires before running the “Fix My Network” wizard?

Any help would be appreciated
Question by:agieryic
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 29

Accepted Solution

becraig earned 300 total points
ID: 40539167
Was the previous certificate also a self-signed certificate ?

If so you will simply have to push the certificate out to trusted root on all clients that login to the domain.

The message is simply saying the issuer is not trusted.

Here is a good link to help you with this:
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 200 total points
ID: 40539189
Based on your description and the fact that this is SBS 2008, I'm guessing that the root also expired. When the leaf expires, the fix my network wizard is all that is required. But when the root expires, the renewed root must be redistributed. They are not on the same aging schedule, so it isn't uncommon to see roots expiring now that there are older SBS 2008 servers out there.

As an aside, with the cost of SSL these days, the hassle of self-issued certificates really is tough to justify given the man-hours when compared to buying a certificate for a year for less than a single Starbucks coffee. I never recommend self-issued certificates anymore, even for the budget conscious.

Author Comment

ID: 40539308
Yes, the previous certificate also a self-signed certificate
The server has only been in place for two years. the root certificate wont expire till 2017 I believe (5 year mark)
I was seeing the alert on the local PC's that are on the LAN. When the message popped up, it allowed me to install the certificate but it would still return, even after logging in and out

On a recent reissue on another SBS2008 server I support, the leaf certificate expired. When I ran the "fix my network" wizard, it worked fine and I didn't have to do anything else and no pop ups.  

Does the reissue work differently after the self signed certificate expires? that's the only difference I see

I had already purchased an SSL certificate near 1 year ago - but I have not fully learned how it works - whether it replaces both the leaf and root certificates. this is why I did the self signed because it appears easier to install.

I'm still confused as to why I had to reinstall the original certificate. Should I just wait till it expires and then install the self-signed certificate. I understand the reference to the above link for remote PC's but I should not have to reinstall for local PC's on the LAN and in the domain. Does that make sense
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Author Comment

ID: 40539313
"If so you will simply have to push the certificate out to trusted root on all clients that login to the domain" - I don't know how to do this. I'll look a the link provided again to see if it explains the process.

My point above is that I didn't have to do anything but run the fix my network wizard on an SBS2008 server that its self-signed certificate expired.
LVL 29

Expert Comment

ID: 40539316
If you have a purchased certificate it will be rooted to a trusted provider so you will not have this popup.

The logic here is that is "root certificate" for your certificate HAS to be in the Trusted Root on each client that will contact your service, if it is not explicitly added there as a trusted root you will get this popup.

Most third party certificate issuers are trusted by default and updated if they renew their root certificate as a part of the operating system update.

If you have a certificate issued from a trusted provided I would just go ahead and use it.

You can simply point the network wizard to that certificate.

Author Comment

ID: 40539328
When we face certificate prompts on remote computers all that's needed is installing the self-issued certificate on the machine. For domain joined machines the certificate should be bounded correctly on IIS, Exchange and TS Gateway Manager as well.

But I thought it does this automatically when you run the wizard (at least after it expires)
Maybe there are more steps when you try to update before it expires

Reinstalling the original certificate that is about the expire, the message no longer appears. This is what I don't understand
LVL 29

Expert Comment

ID: 40539336
Can you look at the original certificate and look at the certification path tab.

Being self signed it should simply point to itself, but please compare the two and verify if you notice any differences in both.

Author Comment

ID: 40549572
I waited till the self-signed certificate expired yesterday. Today, I ran "Fix my network" and it re-issued the certificate successfully. Users no longer get the pop up message.

I assume the server's "Fix My Network" wizard process of reissuing works differently then trying to renew before it expires.

I was just trying to be proactive by renewing in advance which didn't work as I expected it. I don't know what I could do differently if I want to renew a self signed certificate (leaf certificate - 2 year renewal) in the future. I have another renewal coming up for another SBS2008 server.

In the future, I will be looking into getting a 3rd party certificate

All seems to be working now.

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question