your users are receiving fallowing message when they open their outlook “The Security certificate has Expired or is not yet valid”
You also are receiving fallowing errors on your mail server
- Event Type: Error
- Event Source: MSExchangeTransport
- Event Category: TransportService
- Event ID: 12014
- Date: Date
- Time: Time
- User: N/A
- Computer: Server_Name
- Description:
Microsoft Exchange couldn't find a certificate that contains the domain name Domain_Name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Server with a FQDN parameter of FQDN. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
- Event Type: Warning
- Event Source: MSExchangeTransport
- Event Category: TransportService
- Event ID: 12015
- Date: Date
- Time: Time
- User: N/A
- Computer: Server_Name
- Description:
- An internal transport certificate expired.
- Thumbprint:Thumb_Print_Value
Cause: the internal certificate used by Exchange is expired due to limitation, check out bb851554
Limitations of the Self-Signed Certificate
The following list describes some limitations of the self-signed certificate.
- Expiration Date: The self-signed certificate expires 12 months after Exchange 2007 is installed. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
- Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
- Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
- Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
Solution:
Logon to Exchange server issue fallowing command from EMS
| Get-ExchangeCertificate | FL |
Now pay attention to Status and the dates and also you will need to copy and paste “Thumbprint”
Now copy paste or type below into EMS
| Get-ExchangeCertificate -Thumbprint 56BB128980C53883BBF09AA0281FBC6471FB04FE | New- ExchangeCertificate |
Do not forget to copy and paste the Thumbprint corresponds to your own exchange server
Type letter “Y” when it is prompted
Issue once more
| Get-ExchangeCertificate | FL |
Now get rid of from the old one simply use below PS and corresponding thumbprint
| Remove-ExchangeCertificate –thumbprint 56BB128980C53883BBF09AA0281FBC6471FB04FE |
oz Casey Dedeal,
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
11 comments:
Nice fix! Thanks a lot!
great worked like a charm...
Now I get an error about the name being invalid. It looks like it used the internal netbios name for our front end server instead of the FQDN. do you have any tips on that ?
Works perfectly. Maybe you should include that creating a new certificate also affects the IIS: the web certificates also need the be updated or else you won't be able to update the Address List.
Thanks a lot.
I deleted the all the new certificates by mistake.
Now my owa is not working. How to resolve the issue. Please help me out.
I have the same issue for a user.
The security warning which the user is getting is from the cas server in another site and not from the local site CAS server.
I am concerned as to why would the outlook client get certificate error from another site? User mailbox is in local site server and not on remote mailbox server.
Any suggestions?
Works like a treat. Thanks for going to the effort to post this information, it's much appreciated Oz.
I have followed all the steps and even deleted the old certificate. When I start Outlook 2010 I am still prompted twice with the "Security Alert" The security certificate has expired or is not yet valid. I only have one certificate when i run the Get-ExchangeCertificate |FL command. The status is valid and the dates are from NotBefore 5/19/2011 to NotAfter 5/19/2012. When I view the certificate on the Security Alerts the valid dates are from 12/30/2009 to 12/30/2010. Does anyone know why it is not reading the new & only certificate on the Exchange 2007 server. Please help me out on this.
I am having the same problem as Pat above. Certificate is valid and dates are good, but on client system it shows the old dates and says it is expired. Anyone? Thanks!
There is another step to this process
Step 3: Enable this new certificate for the exchange services:
Enable-exchangecertificate -thumbprint -services:IIS,SMTP,POP,IMAP
Pat and Jeff this should solve your issue
Thank you all so much. This issue was driving me crazy. I absolutely depend on the help you all give. Remember to include step three left by anonymous!!
Post a Comment