Solved

Get "Security Alert" popup on W7 workstations after updating the "self-signed certificate"

Posted on 2015-01-08
8
305 Views
Last Modified: 2015-01-14
I have an SBS2008 server
-      From the SBS2008 console, The leaf security shows (it expires 1/13/2014.
-   I Reissued “self-issued certificate” in advance by running the “Fix My Network” wizard. Reissued successfully. It’s now good for another two years.
-      However now After the certificate was renewed, a message pops up on all Outlook users indicating a “Security Alert” basically asking to trust the certificate.
-   the message shows a red x that says: the security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority"
-   I re-installed it on the server and it still pops up on the workstations.
-      So I reinstalled the original certificate and from the SBS2008 console and the message no longer pops up.

Need to understand why updating in advance does not play well.
-      Am I missing a step?
-      Do I need to wait till it actually expires before running the “Fix My Network” wizard?

Any help would be appreciated
0
Comment
Question by:agieryic
  • 4
  • 3
8 Comments
 
LVL 28

Accepted Solution

by:
becraig earned 300 total points
Comment Utility
Was the previous certificate also a self-signed certificate ?

If so you will simply have to push the certificate out to trusted root on all clients that login to the domain.

The message is simply saying the issuer is not trusted.

Here is a good link to help you with this:
http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 200 total points
Comment Utility
Based on your description and the fact that this is SBS 2008, I'm guessing that the root also expired. When the leaf expires, the fix my network wizard is all that is required. But when the root expires, the renewed root must be redistributed. They are not on the same aging schedule, so it isn't uncommon to see roots expiring now that there are older SBS 2008 servers out there.

As an aside, with the cost of SSL these days, the hassle of self-issued certificates really is tough to justify given the man-hours when compared to buying a certificate for a year for less than a single Starbucks coffee. I never recommend self-issued certificates anymore, even for the budget conscious.
0
 
LVL 1

Author Comment

by:agieryic
Comment Utility
Yes, the previous certificate also a self-signed certificate
The server has only been in place for two years. the root certificate wont expire till 2017 I believe (5 year mark)
I was seeing the alert on the local PC's that are on the LAN. When the message popped up, it allowed me to install the certificate but it would still return, even after logging in and out

On a recent reissue on another SBS2008 server I support, the leaf certificate expired. When I ran the "fix my network" wizard, it worked fine and I didn't have to do anything else and no pop ups.  

Does the reissue work differently after the self signed certificate expires? that's the only difference I see

I had already purchased an SSL certificate near 1 year ago - but I have not fully learned how it works - whether it replaces both the leaf and root certificates. this is why I did the self signed because it appears easier to install.

I'm still confused as to why I had to reinstall the original certificate. Should I just wait till it expires and then install the self-signed certificate. I understand the reference to the above link for remote PC's but I should not have to reinstall for local PC's on the LAN and in the domain. Does that make sense
0
 
LVL 1

Author Comment

by:agieryic
Comment Utility
"If so you will simply have to push the certificate out to trusted root on all clients that login to the domain" - I don't know how to do this. I'll look a the link provided again to see if it explains the process.

My point above is that I didn't have to do anything but run the fix my network wizard on an SBS2008 server that its self-signed certificate expired.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 28

Expert Comment

by:becraig
Comment Utility
If you have a purchased certificate it will be rooted to a trusted provider so you will not have this popup.

The logic here is that is "root certificate" for your certificate HAS to be in the Trusted Root on each client that will contact your service, if it is not explicitly added there as a trusted root you will get this popup.

Most third party certificate issuers are trusted by default and updated if they renew their root certificate as a part of the operating system update.

If you have a certificate issued from a trusted provided I would just go ahead and use it.

You can simply point the network wizard to that certificate.
0
 
LVL 1

Author Comment

by:agieryic
Comment Utility
When we face certificate prompts on remote computers all that's needed is installing the self-issued certificate on the machine. For domain joined machines the certificate should be bounded correctly on IIS, Exchange and TS Gateway Manager as well.

But I thought it does this automatically when you run the wizard (at least after it expires)
Maybe there are more steps when you try to update before it expires

Reinstalling the original certificate that is about the expire, the message no longer appears. This is what I don't understand
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Can you look at the original certificate and look at the certification path tab.

Being self signed it should simply point to itself, but please compare the two and verify if you notice any differences in both.
0
 
LVL 1

Author Comment

by:agieryic
Comment Utility
I waited till the self-signed certificate expired yesterday. Today, I ran "Fix my network" and it re-issued the certificate successfully. Users no longer get the pop up message.

I assume the server's "Fix My Network" wizard process of reissuing works differently then trying to renew before it expires.

I was just trying to be proactive by renewing in advance which didn't work as I expected it. I don't know what I could do differently if I want to renew a self signed certificate (leaf certificate - 2 year renewal) in the future. I have another renewal coming up for another SBS2008 server.

In the future, I will be looking into getting a 3rd party certificate

All seems to be working now.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now