Get "Security Alert" popup on W7 workstations after updating the "self-signed certificate"

Posted on 2015-01-08
Last Modified: 2015-01-14
I have an SBS2008 server
-      From the SBS2008 console, The leaf security shows (it expires 1/13/2014.
-   I Reissued “self-issued certificate” in advance by running the “Fix My Network” wizard. Reissued successfully. It’s now good for another two years.
-      However now After the certificate was renewed, a message pops up on all Outlook users indicating a “Security Alert” basically asking to trust the certificate.
-   the message shows a red x that says: the security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority"
-   I re-installed it on the server and it still pops up on the workstations.
-      So I reinstalled the original certificate and from the SBS2008 console and the message no longer pops up.

Need to understand why updating in advance does not play well.
-      Am I missing a step?
-      Do I need to wait till it actually expires before running the “Fix My Network” wizard?

Any help would be appreciated
Question by:agieryic
  • 4
  • 3
LVL 29

Accepted Solution

becraig earned 300 total points
ID: 40539167
Was the previous certificate also a self-signed certificate ?

If so you will simply have to push the certificate out to trusted root on all clients that login to the domain.

The message is simply saying the issuer is not trusted.

Here is a good link to help you with this:
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 200 total points
ID: 40539189
Based on your description and the fact that this is SBS 2008, I'm guessing that the root also expired. When the leaf expires, the fix my network wizard is all that is required. But when the root expires, the renewed root must be redistributed. They are not on the same aging schedule, so it isn't uncommon to see roots expiring now that there are older SBS 2008 servers out there.

As an aside, with the cost of SSL these days, the hassle of self-issued certificates really is tough to justify given the man-hours when compared to buying a certificate for a year for less than a single Starbucks coffee. I never recommend self-issued certificates anymore, even for the budget conscious.

Author Comment

ID: 40539308
Yes, the previous certificate also a self-signed certificate
The server has only been in place for two years. the root certificate wont expire till 2017 I believe (5 year mark)
I was seeing the alert on the local PC's that are on the LAN. When the message popped up, it allowed me to install the certificate but it would still return, even after logging in and out

On a recent reissue on another SBS2008 server I support, the leaf certificate expired. When I ran the "fix my network" wizard, it worked fine and I didn't have to do anything else and no pop ups.  

Does the reissue work differently after the self signed certificate expires? that's the only difference I see

I had already purchased an SSL certificate near 1 year ago - but I have not fully learned how it works - whether it replaces both the leaf and root certificates. this is why I did the self signed because it appears easier to install.

I'm still confused as to why I had to reinstall the original certificate. Should I just wait till it expires and then install the self-signed certificate. I understand the reference to the above link for remote PC's but I should not have to reinstall for local PC's on the LAN and in the domain. Does that make sense

Author Comment

ID: 40539313
"If so you will simply have to push the certificate out to trusted root on all clients that login to the domain" - I don't know how to do this. I'll look a the link provided again to see if it explains the process.

My point above is that I didn't have to do anything but run the fix my network wizard on an SBS2008 server that its self-signed certificate expired.
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

LVL 29

Expert Comment

ID: 40539316
If you have a purchased certificate it will be rooted to a trusted provider so you will not have this popup.

The logic here is that is "root certificate" for your certificate HAS to be in the Trusted Root on each client that will contact your service, if it is not explicitly added there as a trusted root you will get this popup.

Most third party certificate issuers are trusted by default and updated if they renew their root certificate as a part of the operating system update.

If you have a certificate issued from a trusted provided I would just go ahead and use it.

You can simply point the network wizard to that certificate.

Author Comment

ID: 40539328
When we face certificate prompts on remote computers all that's needed is installing the self-issued certificate on the machine. For domain joined machines the certificate should be bounded correctly on IIS, Exchange and TS Gateway Manager as well.

But I thought it does this automatically when you run the wizard (at least after it expires)
Maybe there are more steps when you try to update before it expires

Reinstalling the original certificate that is about the expire, the message no longer appears. This is what I don't understand
LVL 29

Expert Comment

ID: 40539336
Can you look at the original certificate and look at the certification path tab.

Being self signed it should simply point to itself, but please compare the two and verify if you notice any differences in both.

Author Comment

ID: 40549572
I waited till the self-signed certificate expired yesterday. Today, I ran "Fix my network" and it re-issued the certificate successfully. Users no longer get the pop up message.

I assume the server's "Fix My Network" wizard process of reissuing works differently then trying to renew before it expires.

I was just trying to be proactive by renewing in advance which didn't work as I expected it. I don't know what I could do differently if I want to renew a self signed certificate (leaf certificate - 2 year renewal) in the future. I have another renewal coming up for another SBS2008 server.

In the future, I will be looking into getting a 3rd party certificate

All seems to be working now.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now