Wednesday, September 30, 2009

The Security certificate has Expired or is not yet valid

your users are receiving fallowing message when they open their outlook “The Security certificate has Expired or is not yet valid”

image

You also are receiving fallowing errors on your mail server

  • Event Type: Error
  • Event Source: MSExchangeTransport
  • Event Category: TransportService
  • Event ID: 12014
  • Date: Date
  • Time: Time
  • User: N/A
  • Computer: Server_Name
  • Description:

Microsoft Exchange couldn't find a certificate that contains the domain name Domain_Name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Server with a FQDN parameter of FQDN. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

  • Event Type: Warning
  • Event Source: MSExchangeTransport
  • Event Category: TransportService
  • Event ID: 12015
  • Date: Date
  • Time: Time
  • User: N/A
  • Computer: Server_Name
  • Description:
  • An internal transport certificate expired.
  • Thumbprint:Thumb_Print_Value

Cause:  the internal certificate used by Exchange is expired due to limitation, check out bb851554

Limitations of the Self-Signed Certificate

The following list describes some limitations of the self-signed certificate.

  • Expiration Date: The self-signed certificate expires 12 months after Exchange 2007 is installed. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
  • Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
  • Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
  • Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.

Solution:

Logon to Exchange server issue fallowing command from EMS

Get-ExchangeCertificate | FL

image

Now pay attention to Status and  the dates and also you will need to copy and paste “Thumbprint”

Now copy paste or type below into EMS


Get-ExchangeCertificate -Thumbprint 56BB128980C53883BBF09AA0281FBC6471FB04FE | New- ExchangeCertificate

Do not forget to copy and paste the Thumbprint corresponds to your own exchange server

image

Type letter “Y” when it is prompted

Issue once more 

Get-ExchangeCertificate | FL

image

Now get rid of from the old one simply use below PS and corresponding thumbprint

Remove-ExchangeCertificate –thumbprint 56BB128980C53883BBF09AA0281FBC6471FB04FE

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

11 comments:

Anonymous said...

Nice fix! Thanks a lot!

Anonymous said...

great worked like a charm...
Now I get an error about the name being invalid. It looks like it used the internal netbios name for our front end server instead of the FQDN. do you have any tips on that ?

Antonio Ricaurte said...

Works perfectly. Maybe you should include that creating a new certificate also affects the IIS: the web certificates also need the be updated or else you won't be able to update the Address List.

Thanks a lot.

Anonymous said...

I deleted the all the new certificates by mistake.

Now my owa is not working. How to resolve the issue. Please help me out.

Anonymous said...

I have the same issue for a user.
The security warning which the user is getting is from the cas server in another site and not from the local site CAS server.
I am concerned as to why would the outlook client get certificate error from another site? User mailbox is in local site server and not on remote mailbox server.
Any suggestions?

exchange 2007 certificate said...

Works like a treat. Thanks for going to the effort to post this information, it's much appreciated Oz.

Pat said...

I have followed all the steps and even deleted the old certificate. When I start Outlook 2010 I am still prompted twice with the "Security Alert" The security certificate has expired or is not yet valid. I only have one certificate when i run the Get-ExchangeCertificate |FL command. The status is valid and the dates are from NotBefore 5/19/2011 to NotAfter 5/19/2012. When I view the certificate on the Security Alerts the valid dates are from 12/30/2009 to 12/30/2010. Does anyone know why it is not reading the new & only certificate on the Exchange 2007 server. Please help me out on this.

jeffdb27 said...

I am having the same problem as Pat above. Certificate is valid and dates are good, but on client system it shows the old dates and says it is expired. Anyone? Thanks!

Anonymous said...

There is another step to this process

Step 3: Enable this new certificate for the exchange services:

Enable-exchangecertificate -thumbprint -services:IIS,SMTP,POP,IMAP

Pat and Jeff this should solve your issue

Doug Ament said...
This comment has been removed by the author.
Doug Ament said...

Thank you all so much. This issue was driving me crazy. I absolutely depend on the help you all give. Remember to include step three left by anonymous!!