locked
OWA Certificate detail - sometimes correct, sometimes wrong RRS feed

  • Question

  • Hi,

    Please help, there is a weird behaviour on our webmail.

    Our SSL is valid and signed by Entrust.

    SOmetimes,if users are trying to access the webmail, the info on the certificate is wrong. Prompting the user that the site is not safe.

    Sometimes, if you just refresh the page, it will get the valid certificate (with the padlock).

    Im not sure if the problem is with entrust or with us?

    Thanks in advance

    Friday, January 24, 2020 4:56 AM

Answers

  • Here is a brief summary about replies above, hope more people can get useful information from it.

    Issue Symptoms:

    Our SSL is valid and signed by Entrust.

    Sometimes,if users are trying to access the webmail, the info on the certificate is wrong. Prompting the user that the site is not safe.

    Sometimes, if you just refresh the page, it will get the valid certificate (with the padlock).

    Possible Cause:

    An old and expired certificate is used.

    Troubleshooting Steps so far:

    Please make sure the certificate is added to the trusted root certificate store on all client computers.

    Use the following command to check your certificate, and make sure it's valid:

    Get-ExchangeCertificate|fl

    Next Step:

    Please try to renew this expired certificate. Then use the new and valid certificate to check if the issue persists.

    If you already have a new certificate, please remove the old certificate from the trusted root certificate store, and make sure the new cert is trusted by the client side.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by cm05 Wednesday, February 26, 2020 2:07 AM
    Wednesday, February 5, 2020 6:10 AM

All replies

  • Can you please make sure such users to log off and reboot machine and login to domain

    it seems that their OS is not updated with trusted SSL cert in personal store


    Vinny | Freelancer | Azure Solutions Architect Expert| Office 365 Enterprise Administrator| Microsoft 365 Certified: Messaging Administrator Associate| ITILV3 | PMP

    Friday, January 24, 2020 5:45 AM
  • Thank you I will try that
    Friday, January 24, 2020 5:54 AM
  • Also, if you have multiple Exchange servers, make sure that all servers have the certificate installed and configured as the default certificate for IIS.


    Robert Sparnaaij [MVP-Outlook]
    Outlook guides and more: HowTo-Outlook.com
    Outlook Quick Tips: MSOutlook.info

    Friday, January 24, 2020 7:03 AM
  • We checked and all certificate is installed on all exchange servers
    Friday, January 24, 2020 8:40 AM
  • When looking at the certificate, what exactly does it report to be wrong with it?


    Robert Sparnaaij [MVP-Outlook]
    Outlook guides and more: HowTo-Outlook.com
    Outlook Quick Tips: MSOutlook.info

    Friday, January 24, 2020 11:03 PM
  • Hi,

    What's the type of the certificate?

    Do all users have this issue when use OWA? Did you make any modification before this issue?

    As is mentioned above, please make sure the certificate is added to the trusted root certificate store on all client computers.

    Use the following command to check your certificate, and make sure it's valid:

    Get-ExchangeCertificate|fl


    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, January 27, 2020 7:33 AM
  • It shows the old expired certificate.

    This is the ssl certificate when we use webmail. The certificate is installed on our firewall.

    We did some testing on the user, the invalid certificate prompted after opening outlook 2016.

    The details on the certificate is showing wrong info: old and expired certificate.

    We tried to validate it using the ssl-hopper.com. The info on ssl hopper is correct.

    So, we are note sure how it was getting an old certificate

    Monday, January 27, 2020 7:46 AM
  • Please try to renew this expired certificate. Then use the new and valid certificate to check if the issue persists.

    If the certificate was issued by an internal CA or a commercial CA, you have to create a certificate renewal request, and then you send the request to the CA. The CA then sends you the actual certificate file that you need to install on the Exchange server. The procedure is nearly identical to that of completing a new certificate request by installing the certificate on the server.

    If you already have a new certificate, please remove the old certificate from the trusted root certificate store, and make sure the new cert is trusted by the client side.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, January 28, 2020 8:58 AM
  • Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, January 31, 2020 8:59 AM
  • Here is a brief summary about replies above, hope more people can get useful information from it.

    Issue Symptoms:

    Our SSL is valid and signed by Entrust.

    Sometimes,if users are trying to access the webmail, the info on the certificate is wrong. Prompting the user that the site is not safe.

    Sometimes, if you just refresh the page, it will get the valid certificate (with the padlock).

    Possible Cause:

    An old and expired certificate is used.

    Troubleshooting Steps so far:

    Please make sure the certificate is added to the trusted root certificate store on all client computers.

    Use the following command to check your certificate, and make sure it's valid:

    Get-ExchangeCertificate|fl

    Next Step:

    Please try to renew this expired certificate. Then use the new and valid certificate to check if the issue persists.

    If you already have a new certificate, please remove the old certificate from the trusted root certificate store, and make sure the new cert is trusted by the client side.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by cm05 Wednesday, February 26, 2020 2:07 AM
    Wednesday, February 5, 2020 6:10 AM