The Security certificate has Expired or is not yet valid in Exchange 2013 RRS feed

  • Question

  • Hi,

    We have a exc2010(cas,hub,mbx) and a exc2013 CU2(cas,mbx) in our environment.
    Our old star certificate was expired and I renewed cert from godady.
    I install new certificate in to both servers exc2010 and exc2013. than I deleted old Certificate.
    I enabled new certificate for IIS and SMTP services.
    the security warning still appears.
    If I open outlook internal site, outlook works properly with no certificate errors.
    When i open outlook from external site (from home) i am getting the error message "The Security certificate has Expired or is not yet

    valid" after this error message, clients work and send-receive mail with no error

    I tried to use self certitificate and new CA certificate for testing, but users when start, getting the security certificate has expired


    How can I find where is this particular certificate used on the server.

    Any help would greatly appreciated.


    there is no event log about certificate errors (like event id 12014 or 12014 or 12016)


    I run Get-ExchangeCertificate | FL
    there are 3 certificates and none of them are expired.
    I could see 3 certificates in the registry. (HKLM>Software>Microsoft>SystemCertificates>My>Certificates)
    I could see MMC(local comp and user) and IIS Manager  my certificates and none of them are expired.
    I cant find old certificates on exchange server


    I completed virual directory settings and outlook anywhere settings. internal and external as mail.companyname.com.tr
    I have a mail record on the dns, I can ping "mail.companyname.com.tr" via local ip address.

    my outlook exc proxy settings
    NTLM authentication
    checked all checkboxes


    I tried to use providers commands
    set-OutlookProvider -id EXPR -server "exc2013.companyname.com.tr" -CertPrincipalName "msstd:*.companyname.com.tr

    I'm getting the same behavior from Outlook on the external site. (certificate isnot yet valid)


    I was think maybe problem occurs from client computers than I tried to clean the SSL cache on the clients from ie options. but I could see

    old certificates.
    and again The warning pops up when users open outlook, other than that it doesn't affect anything.  Users are still able to access email.


    we have a record autodiscover.companyname.com.tr on the global DNS and have autodiscover services record on the local DNS.


    I've tested RPC/HTTP connectivity on the textexchangeconnectivity.com

    here is result;

    Testing the SSL certificate to make sure it's valid.
      The SSL certificate failed one or more certificate validation checks.
     Test Steps
     The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server companyname.com.tr on port 443.
      The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
     Additional Details
      Remote Certificate Subject: CN=*.companyname.com.tr, OU=Domain Control Validated, O=*.companyname.com.tr, Issuer:

    SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.",

    L=Scottsdale, S=Arizona, C=US.
     Validating the certificate name.
      The certificate name was validated successfully.
     Additional Details
      Host name companyname.com.tr was found in the Certificate Subject Alternative Name entry.
     Certificate trust is being validated.
      Certificate trust validation failed.
     Test Steps
     The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.companyname.com.tr, OU=Domain

    Control Validated, O=*.companyname.com.tr.
      A certificate chain couldn't be constructed for the certificate.
     Additional Details
      The certificate chain has errors. Chain status = NotTimeValid.



    • Edited by Onder Avcu Sunday, July 21, 2013 11:50 AM
    Sunday, July 21, 2013 8:30 AM


  • I suppose, I've found this issue. 

    I noticed when I looked at https://companyname.com, Page's certificate is expired.

    on Monday I'll change it to a new certificate.

    Sunday, July 21, 2013 12:20 PM