SSL certificate for 'SBS Web Applications' has expired/ Certificate expiration question


  • I visited a client's server today to do regular maintenance and only two users asked me about a security prompt when opening outlook. It was a certificate expiration error but I forgot to get a screenshot of it. On the server I noticed this error (started on 6/30/2010, near the same day that their motherboard failed):

    "Active Directory Certificate Services denied request 109 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=server.domain.local.  Additional information: Error Constructing or Publishing Certificate"

    I ran the SBS BPA and saw a certificate has expired but it says: "The SSL certificate for 'SBS Web Applications' expired on 7/10/2010. Users might not be able to connect to the server."

    When I visit the CA snap-in in server manager, the first section (name escapes me right now) has a red X next to the self-signed cert saying that it was unable to contact or download the CRL. I tried a few things found using google but the errors in the eventvwr still shows but the clients don't get the error anymore or at least not anymore today. In the CA trusted root the certificate is not listed as expired.


    If I visit the certsrv website it shows a 404 that the page cannot be found. It has the physical path as c:\inetpub\wwwroot\certsrv (IIRC) on the web page but in explorer there is no folder but I'd need to create a virtual machine to verify the correct path.

    Any ideas?

    Server is

    HP ML350 G5

    SBS 2008 Premium

    Quad core Xeon

    8GB RAM

    RAID 5

    Plenty of free space

    New windows updates have not been applied; I was hoping to see if I could resolve this issue before moving on or finding out what this error means.

    Thursday, July 22, 2010 7:40 PM

All replies

  • Do you have a 3rd party certificate or a Self signed certificate?

    I suggest you run the Install a Trusted Certificate wizard again and re-import the correct certificate.

    Also make sure you have the latest Exchange Rollups installed.



    Regards, Boon Tee - PowerBiz Solutions, Australia
    Friday, July 23, 2010 12:11 AM
  • I don't have a 3rd part cert, just the default self-signed cert from installation. I did rerun the install a trusted cert wizard but it didn't seem to help that I can tell. Granted, the users didn't get the same error in outlook as they previously did but I haven't had a chance to rerun the SBS BPA today to see if the same cert is expired still.
    Friday, July 23, 2010 6:57 PM
  • bump...anyone?
    Monday, July 26, 2010 4:17 PM
  • Run the wizard and create a new certificate.

    With the low cost of decent intermediate certificates, I would recommend that you purchase one. They generally cost about $10-$15 per year.


    Regards, Boon Tee - PowerBiz Solutions, Australia
    Thursday, July 29, 2010 3:22 AM
  • Did you rerun the SBS BPA?

    As Boon wrote, the cost of a 3rd part cert is fairly inexpensive, and is often required to work with some of the newer cell phones.

    Here is a link for step-by-step instructions on how to install a 3rd party certificate ($25 from GoDaddy) onto an SBS 2008 server:

    -Kevin Weilbacher (SBS MVP)
    "The days pass by so quickly now, the nights are seldom long"
    KW Support MVP Blog
    MVP's do NOT work for Microsoft. We give our time freely to support the SBS community!
    Saturday, July 31, 2010 12:59 PM