none
Finding / managing / removing individual user email certificates

    Question

  • Recently, I had received a bunch of cases regarding users not showing up in the GAL, and I know how to fix this, but it's something that seemed to happen more and more lately. I set the event log level to expert and regenerate the OAB, and I see lots of 9323 errors "Entry has invalid or expired e-mail certificates.  These certificates will not be included in the offline address list for '\Global Address List'"

    Easy enough to fix, but the last time I checked I had literally DOZENS. So I am asking a couple long term questions.

    1. Is there a way through powershell (or EMS) to find users who have individual email certificates on their AD Object / Mailbox, IDEALLY showing the certificate expiration date and / or current state (expired or not)

    2. I have an issue where some mail CONTACTS have certificates, how do you remove a certificate from a mail contact. These contacts were created using the IIFP / GAL sync from a corporate partner and I have not had any luck with getting them to fix the issue on their side, so HOW do I remove the certificate from a CONTACT???

    3. Is there a way to remove expired certificates through powershell or the EMS

    We are Exchange 2007 SP3 UR5, Running on Server 2003 R2 SP2, 2003 Native AD, 2003 DC's if that matters.

    Thanks in advance...

    Wednesday, December 21, 2011 8:29 PM

All replies

  • hi,

    to view the cert state in the exchange you can use the cmdlet Get-ExchangeCertificate | FL. It will give you all the informaiton about Exchange cert.And remove you can use Remove-ExhangeCertificate.But for you question, I think the EMS or EMC can't help.It seems should use the tools of AD not exchange,such as Adsiedit,this tool can use to view the informaiton about ad.you can try. i also will try my best to find a solution and then post here.

    thanks,

    castin

    Saturday, December 24, 2011 11:42 PM
  • Hi,

     Check this out :-

     http://support.microsoft.com/kb/555894


    Regards Sushantgharpure
    Tuesday, December 27, 2011 10:55 AM
  • hi,

    to view the cert state in the exchange you can use the cmdlet Get-ExchangeCertificate | FL. It will give you all the informaiton about Exchange cert.And remove you can use Remove-ExhangeCertificate.But for you question, I think the EMS or EMC can't help.It seems should use the tools of AD not exchange,such as Adsiedit,this tool can use to view the informaiton about ad.you can try. i also will try my best to find a solution and then post here.

    thanks,

    castin


    Yea, that's not quite what I am after. Get-ExchangeCertificate is for Exchange, I am looking at individual user/contact certs. Certainly there is a mechanism other than ADSI Edit to do this.
    Thursday, December 29, 2011 6:19 PM
  • Hi,

     Check this out :-

     http://support.microsoft.com/kb/555894


    Regards Sushantgharpure

    That has absolutely nothing to do with my issue.
    Thursday, December 29, 2011 6:19 PM
  • hi,

    try to this:

    location to Active Directory Users and Computers\User properties\Published Certificates,if you don't see the tab enable Advanced Features in ADUC console

    hope can help you.

    thanks,

    castin

    • Proposed as answer by Manuel Alves Monday, October 22, 2012 8:41 AM
    Friday, December 30, 2011 9:54 AM
  • You cant do that for mail contacts. There is no certificates tab for contacts, I know you can do that for regular user accounts, but not contacts.
    Saturday, December 31, 2011 6:27 PM
  • hi,

    try to do this:

    click start>input certmgr.msc in the cmdline>personal>certificate

    hope can help you

    thanks,

    castin

    Tuesday, January 03, 2012 8:58 AM
  • hi,

    try to do this:

    click start>input certmgr.msc in the cmdline>personal>certificate

    hope can help you

    thanks,

    castin


    No, that did not work. If it was for my personal certificate, I could, but not for AD contacts in my domain.
    Wednesday, January 04, 2012 6:18 PM
  • You cant do that for mail contacts. There is no certificates tab for contacts, I know you can do that for regular user accounts, but not contacts.

    I know this is an old question, but I'll just answer in case someone else finds this thread through a search enigne like I did.

    For a contact you can either use ADSIEdit or the Attribute Editor tab in ADUC. Then clear the userCertificate attribute.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Thursday, March 14, 2013 10:16 AM