none
“The Security certificate has Expired or is not yet valid

    Question

  • When i open outlook i am getting the error message " The Security certificate has Expired or is not yet valid" (For the hub and cas server )

    Heres the  log details (application log  in Exchange CAS AND HUB server)

    event id  : 12014

    Description : Microsoft Exchange could not find a certificate that contains the domain name CA01.test.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Receive  CA01.test.local with a FQDN parameter of CA01.test.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    And  i run Get-ExchangeCertificate | FL

     there are 3 certificates  but none of them are expired .At the same time   i could see 5 certificates  in  the  registry (HKLM>Software>Microsoft>SystemCertificates>My>Certificates.)

    is there a way to check the certificate  validity by Thumbprint ?

     

     

    Please  help

     


    Tuesday, June 07, 2011 3:14 PM

Answers

  • On Thu, 9 Jun 2011 17:33:06 +0000, supportsib wrote:
     
    >i think i mislead you all , sorry for that
    >
    >i open MMC on the Cas server and added the certificate snap-in to find out the expired certificates , but i could not find any expired certificate there .But i could find 5 entries in registry . So i think still the entry for expired certificates exists in the registry ,and it might be the cause of the problem
     
    When you added the Certificates snap-in to the MMC did you select
    "Computer Account" on the 1st dialog box and "Local Computer" on the
    2nd dialog box?
     
    The certificates you should be looking for are in the "Personal >
    Certificates" container. Certificates in Trusted Root Certification
    Authorities or Internediate Certification Authorities may also be
    expired so check to be sure the CA that issued youre cert, and any CSs
    in the chain of trust, haven't expired.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, June 10, 2011 1:35 AM

All replies

  • On Tue, 7 Jun 2011 15:14:59 +0000, supportsib wrote:
     
    >When i open outlook i am getting the error message " The Security certificate has Expired or is not yet valid" (For the hub and cas server )
     
    When you use OWA do you get a certificate warning? If so, look at the
    certificate details and see which one is being used. It's probably the
    same one used for Outlook Anywhere.
     
    >
    >Heres the log details (application log in Exchange CAS AND HUB server)
    >
    >event id : 12014
    >
    >Description : Microsoft Exchange could not find a certificate that contains the domain name CA01.test.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Receive CA01.test.local with a FQDN parameter of CA01.test.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
     
    That's not telling you about an expired certificate, it's telling you
    that there's no certificate in the machine name's certificate store
    that has a CN or SAN that matches "ca01.test.local"
     
    >And i run Get-ExchangeCertificate | FL
    >
    > there are 3 certificates but none of them are expired .
     
    Start with the problem identified in the event 12014. Which of the
    certificates is enabled for SMTP? If they don't have the name
    ca01.test.local in them then get a certificate to match the way your
    machine's configured, load it into the local server's certificate
    store and use enable-exchangecertificate to start using it.
     
     
    At the same time i could see 5 certificates in the registry
    (HKLM>Software>Microsoft>SystemCertificates>My>Certificates.)
    >
    >is there a way to check the certificate validity by Thumbprint ?
     
    The "fl" output for each certificate would tell you if the
    certificate's valid.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, June 08, 2011 1:59 AM
  • Hi rich thanks for your reply

     Get-ExchangeCertificate | FL  when i run EMC , i could find only 3 certificate  with expired date and all

    but in the registry there are more thumbrints (5 No's ), But it wont give any details

    When you use OWA do you get a certificate warning?

    No owa users are not getting any security warning , only outlook users

    Wednesday, June 08, 2011 4:14 PM
  • On Wed, 8 Jun 2011 16:14:43 +0000, supportsib wrote:
     
    > Get-ExchangeCertificate | FL when i run EMC , i could find only 3 certificate with expired date and all
     
    Well, use the certificates snapin in the MMC and remove the expired
    certificates from the local machine account's cerrtificate store.
    Keeping them jut confises things.
     
    >but in the registry there are more thumbrints (5 No's ), But it wont give any details
     
    Why are you using regedit wnen there's a perfrectly good MMC snap-in
    that's alot easier to use and abstracts all the ugly stuff?
     
    >>When you use OWA do you get a certificate warning?
     
    >No owa users are not getting any security warning , only outlook users
     
    How many places in IIS do yu have certificates installed? Use the IIS
    manager snap-in and see what certificates are installed on which
    virtual directories. It sounds like you have more than one.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, June 08, 2011 11:53 PM
  • Hello,

    Open MMC on the CAS server and add the certificate snap-in.

    Find the expired certificate and remove it.

    Thanks,
    Simon

    Thursday, June 09, 2011 10:08 AM
  • i think i mislead you all , sorry for that

    i open MMC on the Cas server and added the certificate snap-in  to find out  the expired certificates  , but i could not find any expired certificate  there  .But i could find 5 entries in registry . So i think still the  entry for expired certificates  exists in the registry ,and it might be the cause of the problem

    Thursday, June 09, 2011 5:33 PM
  • On Thu, 9 Jun 2011 17:33:06 +0000, supportsib wrote:
     
    >i think i mislead you all , sorry for that
    >
    >i open MMC on the Cas server and added the certificate snap-in to find out the expired certificates , but i could not find any expired certificate there .But i could find 5 entries in registry . So i think still the entry for expired certificates exists in the registry ,and it might be the cause of the problem
     
    When you added the Certificates snap-in to the MMC did you select
    "Computer Account" on the 1st dialog box and "Local Computer" on the
    2nd dialog box?
     
    The certificates you should be looking for are in the "Personal >
    Certificates" container. Certificates in Trusted Root Certification
    Authorities or Internediate Certification Authorities may also be
    expired so check to be sure the CA that issued youre cert, and any CSs
    in the chain of trust, haven't expired.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, June 10, 2011 1:35 AM