Exchange 2010 / Outlook 2010 environment. We applied updates to Exchange over the weekend, and now clients seem to be getting security certificate errors because of it. it my only be coincidental with an expiration date as well - can't be sure. But what we are seeing is a similar issue both with Outlook clients, as well as iPhone Exchange Active Sync devices. The Outlook client shows an error saying "The security certificate has expired or is not yet valid". The Iphones give 2 different messages, depending on the person. One message is "Server is not trusted due to invalid certificate" and then allows the user to select "Continue" or "Trust" and they work fine after that. Others, however, do not get that option and say something to the affect of "Certificate has expired" and they aren't presented an option to continue or trust the server, and they're stuck. So - is this an issue on the client side, on the server side, where I need to recreate the expired certificate? And if I do that, I assume it will upset the 90% of the users that are working. Thanks for your help.
ExchangeOutlookSecurity
Last Comment
Damian Gardner
8/22/2022 - Mon
Hypercat (Deb)
You need to identify what certificate is being seen as expired. A natural assumption given the behavior you described is that it would have to be a UCC/SAN certificate either self-signed or obtained from an outside provider like GoDaddy, DigiCert, etc.
You can find this out easily from the Exchange management shell with the following command: get-exchangecertificate |FL. The result will be a list of all of the Exchange certificates that are installed and will show details about their application to various services, whether they're self-signed or not and if they are expired or valid. Once you find that out, you'll know which certificate is causing the problem and can go on to renewal steps from there.
Hypercat (Deb)
PS. If you need help analyzing the resulting list, copy and paste it into this thread and we can help you. You may want to be sure to change or erase any text that would expose potentially sensitive info, like your domain name, server names, etc.
What kind of update you applied during the weekend. Also, check, if your Exchange certificates expired or not. As error indicates certificate expired and you need to renew it again.
If certificate not expired on your Exchange server, do you have any HLB between client and server, where certificate might expired and need to be updated.
Daryl Gawn
as a start open exchange management console and click on server configuration, scroll down through each server listed and check the certs are valid (have a blue tick on the icon next to the name)
Damian Gardner
ASKER
Sorry for the delay everybody. here's what I See listed for certs on Exchange:
And I checked the server config, as suggested by Daryl, and I do see some expired certs. I took a screenshot and attached it. Exchange.rtf
Daryl Gawn
right click on the cert that is assigned to the services and renew it and make sure the new one is assigned to the services IMAP, POP, IIS, SMTP , then both the invalid ones can be removed
Damian Gardner
ASKER
ok. so I understand what will happen, will there be any effect on the users who do not seem to be having a problem with their Outlooks/Iphones?
When I right-click it, the options are Remove / Open / Help. Now - I see that there is a 3rd cert in there that is valid until 2023 - but no services are assigned to it. Do I simply need to assign services to it, and then remove the other two? you can see the valid one in the screenshot.
Daryl Gawn
yes assign the services to the valid one, how many servers do you have? check the others to make sure they have valid certs , Transport servers need smtp and cas need IMAP, POP, IIS but you might have the same server doing all roles?
i cant see the screenshot for some reason
Damian Gardner
ASKER
oh - yeah its just 1 server. sorry you can't see the screenshot. what the valid one says is "this certificate is valid for Exchange Server usage". but under services, it shows "none". let me try assigning the ones in the expired one over to the valid one. then I should be able to safely remove the invalid two others right?
ok. looks like it works ok on mine, once I tell Outlook to install the cert. we'll see what happens with the network tomorrow. I'm the admin here. thanks for your help and I'll update the thread tomorrow.
Thanks!
Damian Gardner
ASKER
Morning. So its much better - I have 2/3 green check marks on the security certificate screen that pops up. only thing now is "The name on the certificate does not match the name of the site"
Daryl Gawn
think that is because the cert will be called Microsoft exchange
do you have an internal PKI ? if so you could generate a cert with all subject alternate names (SAN) for all servers or addresses like smtp.domain.org and install it and then assign the services etc to it and you shoulndt have the problem
sorry for the long delay. I read the article Hani suggested, and I believe I need to add the FQDN to our internal site's certificate - I am not sure how to do this, however. (I assume this is an internal IIS "site" it is referring to, and not our company's public website for customers). So the name that is causing the error in Outlook is specifying the FQDN of our Exchange server, which is "exchange.lacoinc1.local" - that's what is named at the top of the certificate error. So where is the certificate that I need to add this FQDN to?
Here's the fix from the article:
"•Add the domain.com to your Public Facing Website’s certificate. That way, Outlook makes a successful connection to https://domain.com, determines it’s not Exchange, and will fallback to attempting autodiscover via https://autodiscover.domain.com. (Preferred Option for obvious secure reason)
thanks guys
Damian Gardner
ASKER
update - we will be moving to Exchange Online momentarily. will this security certificate most likely vanish after that?
You can find this out easily from the Exchange management shell with the following command: get-exchangecertificate |FL. The result will be a list of all of the Exchange certificates that are installed and will show details about their application to various services, whether they're self-signed or not and if they are expired or valid. Once you find that out, you'll know which certificate is causing the problem and can go on to renewal steps from there.