The received certificate has expired
-
Tuesday, September 04, 2012 7:59 AM
We have an Exchange 2007 setup with 2 mailbox server configured with CCR, 2 hub/cas server configured with NLB, an Edge Server & a Forefront TMG 2010 for OWA & EAS publishing. Our SSL certificate expired and we had renewed it with our external CA. Based on our solution provider who has done the upgrade from Exchange 2003 to Exchange 2007, I did the following:
1. Generate CSR from one of the CAS server
2. Send the CSR to External CA for issuing certificate
3. Imported the certificate on the CAS Server
4. Exported the certificate .pfx file
5. Imported the certificate on TMG 2010
Once the original certificate expired, users were not able to access OWA. I configured the Firewall policy rule to use the newly configured certificate but while trying to test the rule was getting the following error:
Category: Destination server certificate error
Error details: 0x80090328 - The received certificate has expired.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965If I configured the rule to use the server from which I had generated CSR, it works fine but when I use the Virtual IP address of the NLB array, it fails generating the above error.
Kindly let me know how can I fix this issue.
Fazal Ur Rehman Shah | Senior Consultant
- Edited by Fazal Ur Rehman Tuesday, September 04, 2012 7:59 AM
All Replies
-
Tuesday, September 04, 2012 12:31 PM
One ocasion I have seen this issue before. In my case it was solved by restarting the Firewall Service. Although I must say that should not be the solution.
You have linked the renewed certificate on the Web Listener in TMG, which is gooed. But are you using SSL on the internal server as well? If so, are you sure you have linked the new certificate to that service?
Boudewijn Plomp, BPMi Infrastructure & Security
-
Tuesday, September 04, 2012 12:48 PM
We are not using the certificate internally. Users use Outlook 2007/2010 inside the network while remote users use mostly OWA and some who use laptop use Outlook Anywhere.
Fazal Ur Rehman Shah | Senior Consultant
-
Tuesday, September 04, 2012 12:56 PM
Yeah to be honest, it sounds like you simply missed a step. One or more of the certs have not been loaded to the servers. Each and every server that is using SSL must be updated. Also remember that if you're using an SSL cert in IIS it must contain the key within the cert! So when you open the cert to view it at the bottom you should see "You have a private key that corresponds to this certificate". Otherwise IIS doesnt care about it at all. If you DO NOT have the key within the cert you can add it by importing both the cert and the private key into a .pfx then import it into IIS and it will extract the cert with its key -
openssl pkcs12 -export -in /path/to/ssl-cert.crt -inkey /path/to/private.key -certfile /path/to/intermediate-ca.crt -out cert-export.pfx
Then
Import certificate in IIS 7
1. Open the IIS Manager
2. Select the server to manage on the left, double-click on 'Server Certificates' on the right
3. Under Actions, click 'Import'
4. Click the '...' button and browse to the .pfx file copied to the server in Step 1, select the .pfx file and click 'Open'
5. Type the password specified when exporting the certificate in Step 1, select the option box 'Allow this certificate to be exported' and click 'OK'
After that the only thing to do is bind the cert to whatever sites you need it on
Binding certificate to the web site:
1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
2. Browse to Server Name > Sites > Your SSL-based site
3. From the Actions pane, choose Bindings
4. In the Site Bindings window, choose Add
5. From the Add Site Bindings window, provide the binding type
6. Select the SSL certificate that will be used for this site
7. Click OK
Once you have completed this task, you need to import the .pfx into the TMG box. MMC - Certificates - Machine account - Local Machine ~ Import the .pfx into "Personal". Then go to TMG Console, select the web listeners that need to have this new cert, and be sure to change the SSL cert to the new cert within the listener. After that you should be good to go!!
- Marked As Answer by Fazal Ur Rehman Tuesday, September 04, 2012 1:16 PM
-
Tuesday, September 04, 2012 1:06 PM
I can see the certificate with "You have a private key that corresponds to this certificate" in the bottom and have changed the SSL certificate to the new certificate within the listener too.
The issue has been resolved. The SSL certificate was not bound on the other Hub/CAS. After binding & restart the service, TMG 2010 can now point to the Hub/CAS's Virtual IP Address. Thanks for the support.
Fazal Ur Rehman Shah | Senior Consultant
- Edited by Fazal Ur Rehman Tuesday, September 04, 2012 1:16 PM
-
Tuesday, September 04, 2012 1:21 PM
Also did you remember to import the cert into Exchange? Silly question but sometimes is missed...
Open EMS (Exchange Management Shell)
Import-ExchangeCertificate -path c:\path\cert.p7b | Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP
.png)
