Go Premium for a chance to win a PS4. Enter to Win


Get "Security Alert" popup on W7 workstations after updating the "self-signed certificate"

Posted on 2015-01-08
Medium Priority
Last Modified: 2015-01-14
I have an SBS2008 server
-      From the SBS2008 console, The leaf security shows (it expires 1/13/2014.
-   I Reissued “self-issued certificate” in advance by running the “Fix My Network” wizard. Reissued successfully. It’s now good for another two years.
-      However now After the certificate was renewed, a message pops up on all Outlook users indicating a “Security Alert” basically asking to trust the certificate.
-   the message shows a red x that says: the security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority"
-   I re-installed it on the server and it still pops up on the workstations.
-      So I reinstalled the original certificate and from the SBS2008 console and the message no longer pops up.

Need to understand why updating in advance does not play well.
-      Am I missing a step?
-      Do I need to wait till it actually expires before running the “Fix My Network” wizard?

Any help would be appreciated
Question by:agieryic
  • 4
  • 3
LVL 29

Accepted Solution

becraig earned 1200 total points
ID: 40539167
Was the previous certificate also a self-signed certificate ?

If so you will simply have to push the certificate out to trusted root on all clients that login to the domain.

The message is simply saying the issuer is not trusted.

Here is a good link to help you with this:
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 800 total points
ID: 40539189
Based on your description and the fact that this is SBS 2008, I'm guessing that the root also expired. When the leaf expires, the fix my network wizard is all that is required. But when the root expires, the renewed root must be redistributed. They are not on the same aging schedule, so it isn't uncommon to see roots expiring now that there are older SBS 2008 servers out there.

As an aside, with the cost of SSL these days, the hassle of self-issued certificates really is tough to justify given the man-hours when compared to buying a certificate for a year for less than a single Starbucks coffee. I never recommend self-issued certificates anymore, even for the budget conscious.

Author Comment

ID: 40539308
Yes, the previous certificate also a self-signed certificate
The server has only been in place for two years. the root certificate wont expire till 2017 I believe (5 year mark)
I was seeing the alert on the local PC's that are on the LAN. When the message popped up, it allowed me to install the certificate but it would still return, even after logging in and out

On a recent reissue on another SBS2008 server I support, the leaf certificate expired. When I ran the "fix my network" wizard, it worked fine and I didn't have to do anything else and no pop ups.  

Does the reissue work differently after the self signed certificate expires? that's the only difference I see

I had already purchased an SSL certificate near 1 year ago - but I have not fully learned how it works - whether it replaces both the leaf and root certificates. this is why I did the self signed because it appears easier to install.

I'm still confused as to why I had to reinstall the original certificate. Should I just wait till it expires and then install the self-signed certificate. I understand the reference to the above link for remote PC's but I should not have to reinstall for local PC's on the LAN and in the domain. Does that make sense
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 40539313
"If so you will simply have to push the certificate out to trusted root on all clients that login to the domain" - I don't know how to do this. I'll look a the link provided again to see if it explains the process.

My point above is that I didn't have to do anything but run the fix my network wizard on an SBS2008 server that its self-signed certificate expired.
LVL 29

Expert Comment

ID: 40539316
If you have a purchased certificate it will be rooted to a trusted provider so you will not have this popup.

The logic here is that is "root certificate" for your certificate HAS to be in the Trusted Root on each client that will contact your service, if it is not explicitly added there as a trusted root you will get this popup.

Most third party certificate issuers are trusted by default and updated if they renew their root certificate as a part of the operating system update.

If you have a certificate issued from a trusted provided I would just go ahead and use it.

You can simply point the network wizard to that certificate.

Author Comment

ID: 40539328
When we face certificate prompts on remote computers all that's needed is installing the self-issued certificate on the machine. For domain joined machines the certificate should be bounded correctly on IIS, Exchange and TS Gateway Manager as well.

But I thought it does this automatically when you run the wizard (at least after it expires)
Maybe there are more steps when you try to update before it expires

Reinstalling the original certificate that is about the expire, the message no longer appears. This is what I don't understand
LVL 29

Expert Comment

ID: 40539336
Can you look at the original certificate and look at the certification path tab.

Being self signed it should simply point to itself, but please compare the two and verify if you notice any differences in both.

Author Comment

ID: 40549572
I waited till the self-signed certificate expired yesterday. Today, I ran "Fix my network" and it re-issued the certificate successfully. Users no longer get the pop up message.

I assume the server's "Fix My Network" wizard process of reissuing works differently then trying to renew before it expires.

I was just trying to be proactive by renewing in advance which didn't work as I expected it. I don't know what I could do differently if I want to renew a self signed certificate (leaf certificate - 2 year renewal) in the future. I have another renewal coming up for another SBS2008 server.

In the future, I will be looking into getting a 3rd party certificate

All seems to be working now.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question