Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Get "Security Alert" popup on W7 workstations after updating the "self-signed certificate"

Posted on 2015-01-08
Medium Priority
Last Modified: 2015-01-14
I have an SBS2008 server
-      From the SBS2008 console, The leaf security shows (it expires 1/13/2014.
-   I Reissued “self-issued certificate” in advance by running the “Fix My Network” wizard. Reissued successfully. It’s now good for another two years.
-      However now After the certificate was renewed, a message pops up on all Outlook users indicating a “Security Alert” basically asking to trust the certificate.
-   the message shows a red x that says: the security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority"
-   I re-installed it on the server and it still pops up on the workstations.
-      So I reinstalled the original certificate and from the SBS2008 console and the message no longer pops up.

Need to understand why updating in advance does not play well.
-      Am I missing a step?
-      Do I need to wait till it actually expires before running the “Fix My Network” wizard?

Any help would be appreciated
Question by:agieryic
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 29

Accepted Solution

becraig earned 1200 total points
ID: 40539167
Was the previous certificate also a self-signed certificate ?

If so you will simply have to push the certificate out to trusted root on all clients that login to the domain.

The message is simply saying the issuer is not trusted.

Here is a good link to help you with this:
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 800 total points
ID: 40539189
Based on your description and the fact that this is SBS 2008, I'm guessing that the root also expired. When the leaf expires, the fix my network wizard is all that is required. But when the root expires, the renewed root must be redistributed. They are not on the same aging schedule, so it isn't uncommon to see roots expiring now that there are older SBS 2008 servers out there.

As an aside, with the cost of SSL these days, the hassle of self-issued certificates really is tough to justify given the man-hours when compared to buying a certificate for a year for less than a single Starbucks coffee. I never recommend self-issued certificates anymore, even for the budget conscious.

Author Comment

ID: 40539308
Yes, the previous certificate also a self-signed certificate
The server has only been in place for two years. the root certificate wont expire till 2017 I believe (5 year mark)
I was seeing the alert on the local PC's that are on the LAN. When the message popped up, it allowed me to install the certificate but it would still return, even after logging in and out

On a recent reissue on another SBS2008 server I support, the leaf certificate expired. When I ran the "fix my network" wizard, it worked fine and I didn't have to do anything else and no pop ups.  

Does the reissue work differently after the self signed certificate expires? that's the only difference I see

I had already purchased an SSL certificate near 1 year ago - but I have not fully learned how it works - whether it replaces both the leaf and root certificates. this is why I did the self signed because it appears easier to install.

I'm still confused as to why I had to reinstall the original certificate. Should I just wait till it expires and then install the self-signed certificate. I understand the reference to the above link for remote PC's but I should not have to reinstall for local PC's on the LAN and in the domain. Does that make sense
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 40539313
"If so you will simply have to push the certificate out to trusted root on all clients that login to the domain" - I don't know how to do this. I'll look a the link provided again to see if it explains the process.

My point above is that I didn't have to do anything but run the fix my network wizard on an SBS2008 server that its self-signed certificate expired.
LVL 29

Expert Comment

ID: 40539316
If you have a purchased certificate it will be rooted to a trusted provider so you will not have this popup.

The logic here is that is "root certificate" for your certificate HAS to be in the Trusted Root on each client that will contact your service, if it is not explicitly added there as a trusted root you will get this popup.

Most third party certificate issuers are trusted by default and updated if they renew their root certificate as a part of the operating system update.

If you have a certificate issued from a trusted provided I would just go ahead and use it.

You can simply point the network wizard to that certificate.

Author Comment

ID: 40539328
When we face certificate prompts on remote computers all that's needed is installing the self-issued certificate on the machine. For domain joined machines the certificate should be bounded correctly on IIS, Exchange and TS Gateway Manager as well.

But I thought it does this automatically when you run the wizard (at least after it expires)
Maybe there are more steps when you try to update before it expires

Reinstalling the original certificate that is about the expire, the message no longer appears. This is what I don't understand
LVL 29

Expert Comment

ID: 40539336
Can you look at the original certificate and look at the certification path tab.

Being self signed it should simply point to itself, but please compare the two and verify if you notice any differences in both.

Author Comment

ID: 40549572
I waited till the self-signed certificate expired yesterday. Today, I ran "Fix my network" and it re-issued the certificate successfully. Users no longer get the pop up message.

I assume the server's "Fix My Network" wizard process of reissuing works differently then trying to renew before it expires.

I was just trying to be proactive by renewing in advance which didn't work as I expected it. I don't know what I could do differently if I want to renew a self signed certificate (leaf certificate - 2 year renewal) in the future. I have another renewal coming up for another SBS2008 server.

In the future, I will be looking into getting a 3rd party certificate

All seems to be working now.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question