Avatar of Damian Gardner
Damian Gardner
 asked on

Echange security certificate issues

Exchange 2010 / Outlook 2010 environment.  We applied updates to Exchange over the weekend, and now clients seem to be getting security certificate errors because of it.  it my only be coincidental with an expiration date as well - can't be sure.  But what we are seeing is a similar issue both with Outlook clients, as well as iPhone Exchange Active Sync devices.  The Outlook client shows an error saying "The security certificate has expired or is not yet valid".  The Iphones give 2 different messages, depending on the person.  One message is "Server is not trusted due to invalid certificate" and then allows the user to select "Continue" or "Trust" and they work fine after that.  Others, however, do not get that option and say something to the affect of "Certificate has expired" and they aren't presented an option to continue or trust the server, and they're stuck.  So - is this an issue on the client side, on the server side, where I need to recreate the expired certificate?  And if I do that, I assume it will upset the 90% of the users that are working.  Thanks for your help.
ExchangeOutlookSecurity

Avatar of undefined
Last Comment
Damian Gardner

8/22/2022 - Mon
Hypercat (Deb)

You need to identify what certificate is being seen as expired. A natural assumption given the behavior you described is that it would have to be a UCC/SAN certificate either self-signed or obtained from an outside provider like GoDaddy, DigiCert, etc.

You can find this out easily from the Exchange management shell with the following command:  get-exchangecertificate |FL.  The result will be a list of all of the Exchange certificates that are installed and will show details about their application to various services, whether they're self-signed or not and if they are expired or valid.  Once you find that out, you'll know which certificate is causing the problem and can go on to renewal steps from there.
Hypercat (Deb)

PS. If you need help analyzing the resulting list, copy and paste it into this thread and we can help you.  You may want to be sure to change or erase any text that would expose potentially sensitive info, like your domain name, server names, etc.
Hani M .S. Al-habshi

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Amit

What kind of update you applied during the weekend. Also, check, if your Exchange certificates expired or not. As error indicates certificate expired and you need to renew it again.

If certificate not expired on your Exchange server, do you have any HLB between client and server, where certificate might expired and need to be updated.
Daryl Gawn

as a start open exchange management console and click on server configuration, scroll down through each server listed and check the certs are valid (have a blue tick on the icon next to the name)
Damian Gardner

ASKER
Sorry for the delay everybody.  here's what I See listed for certs on Exchange:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {AERPClient}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=AERPClient, OU=AERP, O=ARCSERVE, L=Hyderabad, S=TS, C=IN
NotAfter           : 11/30/2015 1:04:36 AM
NotBefore          : 9/1/2015 2:04:36 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 694C1744
Services           : None
Status             : Invalid
Subject            : CN=AERPClient, OU=AERP, O=ARCSERVE, L=Hyderabad, S=TS, C=IN
Thumbprint         : CC93058334A0E3ABBEBDF******F22C032465**7

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {exchange, exchange.XXXXXX.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=exchange
NotAfter           : 10/6/2018 1:12:09 PM
NotBefore          : 10/6/2013 1:12:09 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 7A071381E466C08D4C51E6F3EC4DA310
Services           : IMAP, POP, IIS, SMTP
Status             : Invalid
Subject            : CN=exchange
Thumbprint         : 42118DA7BBA73F1881B3AEC52248B84********1

Looks like there are TWO that are "invalid" .  I"m not sure what each one is for or what's the difference.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
Daryl Gawn

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Damian Gardner

ASKER
And I checked the server config, as suggested by Daryl, and I do see some expired certs.  I took a screenshot and attached it.
Exchange.rtf
Daryl Gawn

right click on the cert that is assigned to the services and renew it and make sure the new one is assigned to the services IMAP, POP, IIS, SMTP , then both the invalid ones can be removed
Damian Gardner

ASKER
ok.  so I understand what will happen, will there be any effect on the users who do not seem to be having a problem with their Outlooks/Iphones?  

Thanks Daryl.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Damian Gardner

ASKER
When I right-click it, the options are Remove / Open / Help.  Now - I see that there is a 3rd cert in there that is valid until 2023 - but no services are assigned to it.  Do I simply need to assign services to it, and then remove the other two?  you can see the valid one in the screenshot.
Daryl Gawn

yes assign the services to the valid one, how many servers do you have? check the others to make sure they have valid certs , Transport servers need smtp and cas need IMAP, POP, IIS but you might have the same server doing all roles?

i cant see the screenshot for some reason
Damian Gardner

ASKER
oh - yeah its just 1 server.  sorry you can't see the screenshot.  what the valid one says is "this certificate is valid for Exchange Server usage". but under services, it shows "none".  let me try assigning the ones in the expired one over to the valid one.  then I should be able to safely remove the invalid two others right?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Daryl Gawn

yes thats right
Damian Gardner

ASKER
I assigned them over.  do I need to reboot Exchange or anything to take effect?
Daryl Gawn

should be fine without reboot
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Damian Gardner

ASKER
ok.  looks like it works ok on mine, once I tell Outlook to install the cert.  we'll see what happens with the network tomorrow.  I'm the admin here.  thanks for your help and I'll update the thread tomorrow.

Thanks!
Damian Gardner

ASKER
Morning.  So its much better - I have 2/3 green check marks on the security certificate screen that pops up.  only thing now is "The name on the certificate does not match the name of the site"
Daryl Gawn

think that is because the cert will be called Microsoft exchange

do you have an internal PKI ? if so you could generate a cert with all subject alternate names (SAN) for all servers or addresses like smtp.domain.org  and install it and then assign the services etc to it and you shoulndt have the problem
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Hani M .S. Al-habshi

Damian Gardner

ASKER
sorry for delay.  ok let me read the article and see what I need to do.  thanks guys
Damian Gardner

ASKER
sorry for the delay guys - I'm buried with other "fires" here this week.  will be getting back to this issue soon. standby!
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Damian Gardner

ASKER
sorry for the long delay.  I read the article Hani suggested, and I believe I need to add the FQDN to our internal site's certificate - I am not sure how to do this, however.  (I assume this is an internal IIS "site" it is referring to, and not our company's public website for customers).  So the name that is causing the error in Outlook is specifying the FQDN of our Exchange server, which is "exchange.lacoinc1.local" - that's what is named at the top of the certificate error.  So where is the certificate that I need to add this FQDN to?  

Here's the fix from the article:

"•Add the domain.com to your Public Facing Website’s certificate.  That way, Outlook makes a successful connection to https://domain.com, determines it’s not Exchange, and will fallback to attempting autodiscover via https://autodiscover.domain.com.  (Preferred Option for obvious secure reason)

thanks guys
Damian Gardner

ASKER
update - we will be moving to Exchange Online momentarily.  will this security certificate most likely vanish after that?