none
the security certificate has expired or is not yet valid in outlook 2007

    Question

  • Hi, We have exchange server 2007 and outlook 2007 clients. After one year of installation we get the security warning " the security certificate has expired or is not yet valid" twice when we launch outlook 2007. I have checked the exchange certificates ( Get-ExchangeCertificate | fl in exchange management ) and in IIS certificates( server certificates ), but the expired certificate shown by outlook is not there.  I also notice that I do not get this security warning when the default web site is stopped or when the www service is stopped.

    How can I find where is this purticular certificate used on the server.

    Regards

    Jai

     

     

    Monday, August 30, 2010 1:28 PM

Answers

  • Hi,

    To resolve this issue, you need to create a new certificate for exchange server.

    If you are using a exchange self signed certificate, please follow these steps to create a new certificate: 

    Step 1: Delete the expired certificate:

    a. Run get-exchangecertificate |fl , please note the Thumbprint number of the expired certificate, such as 5113ae0233a72fccb75b1d0198628675333d010e.

    b. Run remove-exchangecertificate -thumbprint 5113ae0233a72fccb75b1d0198628675333d010e to delete this expired certificate.

    Step 2: Generate a new exchange certificate

    new-exchangecertificate

    If You may get a prompt to overwrite the default SMTP certificate. type A to overwrite it.

    Step 3: Enable this new certificate for the exchange services:

    Enable-exchangecertificate -thumbprint  <the new certificate you just created> -services:IIS,SMTP,POP,IMAP

    More information, please refer the following link:

    http://technet.microsoft.com/en-us/library/aa997231(EXCHG.80).aspx

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks
    • Marked as answer by Jaita Wednesday, September 01, 2010 8:11 AM
    Tuesday, August 31, 2010 8:42 AM

All replies

  • Has the certificate that you are using been enabled for all the necessary services on the CAS?

    If you open up MMC on the server and add the certificates snap-in, so you see the certificate listed anywhere in the certificate store for that server?

     

    Monday, August 30, 2010 3:15 PM
  • When you get te certificate prompt you can choose to view the certificate. That may well show you where the certificate prompt is coming from. It could be that the client is connecting to a server that you aren't expecting as part of the autodiscover process.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    Monday, August 30, 2010 9:56 PM
  • Hi Andy, The certificate warning prompted while launching outlook shows that it is for the mail server(single server with mailbox, CAS & Hub Transport roles). When I list the certificates in exchange management shell, it is not available there. I can not see it any where in the certificates console as well. I tried even in the IIS server certificates and it is not there.

    Regards

    Jai

    Tuesday, August 31, 2010 7:14 AM
  • The certificate warning prompted while launching outlook shows that it is from the mail server. When I stop the default web site on the exchange server, the certificate warning does not come. So it is confirmed that it is from the mail server.

    Jai

    Tuesday, August 31, 2010 7:17 AM
  • Hi,

    To resolve this issue, you need to create a new certificate for exchange server.

    If you are using a exchange self signed certificate, please follow these steps to create a new certificate: 

    Step 1: Delete the expired certificate:

    a. Run get-exchangecertificate |fl , please note the Thumbprint number of the expired certificate, such as 5113ae0233a72fccb75b1d0198628675333d010e.

    b. Run remove-exchangecertificate -thumbprint 5113ae0233a72fccb75b1d0198628675333d010e to delete this expired certificate.

    Step 2: Generate a new exchange certificate

    new-exchangecertificate

    If You may get a prompt to overwrite the default SMTP certificate. type A to overwrite it.

    Step 3: Enable this new certificate for the exchange services:

    Enable-exchangecertificate -thumbprint  <the new certificate you just created> -services:IIS,SMTP,POP,IMAP

    More information, please refer the following link:

    http://technet.microsoft.com/en-us/library/aa997231(EXCHG.80).aspx

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks
    • Marked as answer by Jaita Wednesday, September 01, 2010 8:11 AM
    Tuesday, August 31, 2010 8:42 AM
  • When you view the cert that is throwin the error from the client, what is the expiration date?

     

    Tuesday, August 31, 2010 11:12 AM
  • Hi Gen Lin,

    I cannot delete the expired certificate because I cannot see it when I run get-exchangecertificate |fl command.

     

    Tuesday, August 31, 2010 1:50 PM
  • Hi Andy, The expiration date is 8/17/2010.

    Also note that when I search for the thumbprint of the invalid certificate in the mail servers' registry I can see it under HKLM>Software>Microsoft>SystemCertificates>My>Certificates.

     

     

    Tuesday, August 31, 2010 1:56 PM
  • If you see it in the registry, then it should be viewable in the Personal Certificate store of the server viewed with the MMC/Certificates Snap-in .

    Either way, I would remove the invalid cert. Just make sure you have a good one that you can reenable for the correct services if necessary or it removing it breaks something.

     

     

    Tuesday, August 31, 2010 2:03 PM
  • Hi,

    Did you run  get-exchangecertificate |fl  in exchange management shell.

    What's result you got after running this command?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Wednesday, September 01, 2010 2:58 AM
  • Hi Andy & Gen Lin,

    The problem is solved finally. Here is what I have done.

    I have deleted the expired certificate from registry.

    Created a new self signed certificate. noticed that this has only IMAP, POP and SMTP services. So I enabled this certificate for IIS as well. Now the security warning does not appear.

    Thanks a lot for your help.

    Regards

    Jai

     

    Wednesday, September 01, 2010 8:16 AM
  • I did it and now i have a new license but it doesn't work either(!) and the expire date is 2012! what can i do now? what is the problem?


    i just noticed that i have two certificate i tried to remove the expired certificate but the following error was shown :

    Remove-ExchangeCertificate : The internal transport certificate cannot be remov
    ed because that would cause the Microsoft Exchange Transport service to stop. T
    o replace the internal transport certificate, create a new certificate. The new
     certificate will automatically become the internal transport certificate. You
    can then remove the existing certificate.
    Parameter name: Thumbprint
    At line:1 char:27
    + remove-exchangecertificate  <<<< -thumbprint 7CFE12F1FFFB91D9EE4BAD45C533BB5B
    23BFAE93

    i also stoped the Microsoft Exchange Transport service but the problem insist!!!

    Saturday, August 06, 2011 8:56 AM