the security certificate has expired or is not yet valid in outlook 2007

Status
Not open for further replies.
J

Jaita

Hi, We have exchange server 2007 and outlook 2007 clients. After one year of installation we get the security warning " the security certificate has expired or is not yet valid" twice when we launch outlook 2007. I have checked the exchange certificates ( Get-ExchangeCertificate | fl in exchange management ) and in IIS certificates( server certificates ), but the expired certificate shown by outlook is not there. I also notice that I do not get this security warning when the default web site is stopped or when the www service is stopped.

How can I find where is this purticular certificate used on the server.

Regards

Jai
 
A

AndyD_ [MVP]

Has the certificate that you are using been enabled for all the necessary services on the CAS?

If you open up MMC on the server and add the certificates snap-in, so you see the certificate listed anywhere in the certificate store for that server?
 
S

Sembee [MVP]

When you get te certificate prompt you can choose to view the certificate. That may well show you where the certificate prompt is coming from. It could be that the client is connecting to a server that you aren't expecting as part of the autodiscover process.

Simon.
 
J

Jaita

Hi Andy, The certificate warning prompted while launching outlook shows that it is for the mail server(single server with mailbox, CAS & Hub Transport roles). When I list the certificates in exchange management shell, it is not available there. I can not see it any where in the certificates console as well. I tried even in the IIS server certificates and it is not there.

Regards

Jai
 
J

Jaita

The certificate warning prompted while launching outlook shows that it is from the mail server. When I stop the default web site on the exchange server, the certificate warning does not come. So it is confirmed that it is from the mail server.

Jai
 
G

Gen Lin

Hi,

To resolve this issue, you need to create a new certificate for exchange server.

If you are using a exchange self signed certificate, please follow these steps to create a new certificate:

Step 1: Delete the expired certificate:

a. Run get-exchangecertificate |fl , please note the Thumbprint number of the expired certificate, such as 5113ae0233a72fccb75b1d0198628675333d010e.

b. Run remove-exchangecertificate -thumbprint 5113ae0233a72fccb75b1d0198628675333d010e to delete this expired certificate.

Step 2: Generate a new exchange certificate

new-exchangecertificate

If You may get a prompt to overwrite the default SMTP certificate. type A to overwrite it.

Step 3: Enable this new certificate for the exchange services:

Enable-exchangecertificate -thumbprint <the new certificate you just created> -services:IIS,SMTP,POP,IMAP

More information, please refer the following link:

http://technet.microsoft.com/en-us/library/aa997231(EXCHG.80).aspx

Thanks
 
A

AndyD_ [MVP]

When you view the cert that is throwin the error from the client, what is the expiration date?
 
J

Jaita

Hi Gen Lin,

I cannot delete the expired certificate because I cannot see it when I run get-exchangecertificate |fl command.
 
J

Jaita

Hi Andy, The expiration date is 8/17/2010.

Also note that when I search for the thumbprint of the invalid certificate in the mail servers' registry I can see it under HKLM>Software>Microsoft>SystemCertificates>My>Certificates.
 
A

AndyD_ [MVP]

If you see it in the registry, then it should be viewable in the Personal Certificate store of the server viewed with the MMC/Certificates Snap-in .

Either way, I would remove the invalid cert. Just make sure you have a good one that you can reenable for the correct services if necessary or it removing it breaks something.
 
G

Gen Lin

Hi,

Did you run get-exchangecertificate |fl in exchange management shell.

What's result you got after running this command?



 
J

Jaita

Hi Andy & Gen Lin,

The problem is solved finally. Here is what I have done.

I have deleted the expired certificate from registry.

Created a new self signed certificate. noticed that this has only IMAP, POP and SMTP services. So I enabled this certificate for IIS as well. Now the security warning does not appear.

Thanks a lot for your help.

Regards

Jai
 
Status
Not open for further replies.
Top