âThe Security certificate has Expired or is not yet valid
When i open outlook i am getting the error message " The Security certificate has Expired or is not yet valid" (For the hub and cas server )
Heres the log details (application log in Exchange CAS AND HUB server)
event id : 12014
Description : Microsoft Exchange could not find a certificate that contains the domain name CA01.test.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Receive CA01.test.local
with a FQDN parameter of CA01.test.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If
this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
And i run Get-ExchangeCertificate | FL
there are 3 certificates but none of them are expired .At the same time i could see 5 certificates in the registry (HKLM>Software>Microsoft>SystemCertificates>My>Certificates.)
is there a way to check the certificate validity by Thumbprint ?
Please help
June 7th, 2011 11:20am
On Tue, 7 Jun 2011 15:14:59 +0000, supportsib wrote:
>When i open outlook i am getting the error message " The Security certificate has Expired or is not yet valid" (For the hub and cas server )
When you use OWA do you get a certificate warning? If so, look at the
certificate details and see which one is being used. It's probably the
same one used for Outlook Anywhere.
>
>Heres the log details (application log in Exchange CAS AND HUB server)
>
>event id : 12014
>
>Description : Microsoft Exchange could not find a certificate that contains the domain name CA01.test.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Receive CA01.test.local
with a FQDN parameter of CA01.test.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If
this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
That's not telling you about an expired certificate, it's telling you
that there's no certificate in the machine name's certificate store
that has a CN or SAN that matches "ca01.test.local"
>And i run Get-ExchangeCertificate | FL
>
> there are 3 certificates but none of them are expired .
Start with the problem identified in the event 12014. Which of the
certificates is enabled for SMTP? If they don't have the name
ca01.test.local in them then get a certificate to match the way your
machine's configured, load it into the local server's certificate
store and use enable-exchangecertificate to start using it.
At the same time i could see 5 certificates in the registry
(HKLM>Software>Microsoft>SystemCertificates>My>Certificates.)
>
>is there a way to check the certificate validity by Thumbprint ?
The "fl" output for each certificate would tell you if the
certificate's valid.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 10:04pm
Hi rich thanks for your reply
Get-ExchangeCertificate | FL when i run EMC , i could find only 3 certificate with expired date and all
but in the registry there are more thumbrints (5 No's ), But it wont give any details
When you use OWA do you get a certificate warning?
No owa users are not getting any security warning , only outlook users
June 8th, 2011 12:19pm
On Wed, 8 Jun 2011 16:14:43 +0000, supportsib wrote:
> Get-ExchangeCertificate | FL when i run EMC , i could find only 3 certificate with expired date and all
Well, use the certificates snapin in the MMC and remove the expired
certificates from the local machine account's cerrtificate store.
Keeping them jut confises things.
>but in the registry there are more thumbrints (5 No's ), But it wont give any details
Why are you using regedit wnen there's a perfrectly good MMC snap-in
that's alot easier to use and abstracts all the ugly stuff?
>>When you use OWA do you get a certificate warning?
>No owa users are not getting any security warning , only outlook users
How many places in IIS do yu have certificates installed? Use the IIS
manager snap-in and see what certificates are installed on which
virtual directories. It sounds like you have more than one.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2011 7:58pm
Hello,
Open MMC on the CAS server and add the certificate snap-in.
Find the expired certificate and remove it.
Thanks,
Simon
June 9th, 2011 6:13am
i think i mislead you all , sorry for that
i open MMC on the Cas server and added the certificate snap-in to find out the expired certificates , but i could not find any expired certificate there .But i could find 5 entries in registry . So i think
still the entry for expired certificates exists in the registry
,and it might be the cause of the problem
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2011 1:38pm
On Thu, 9 Jun 2011 17:33:06 +0000, supportsib wrote:
>i think i mislead you all , sorry for that
>
>i open MMC on the Cas server and added the certificate snap-in to find out the expired certificates , but i could not find any expired certificate there .But i could find 5 entries in registry . So i think still the entry for expired certificates exists
in the registry ,and it might be the cause of the problem
When you added the Certificates snap-in to the MMC did you select
"Computer Account" on the 1st dialog box and "Local Computer" on the
2nd dialog box?
The certificates you should be looking for are in the "Personal >
Certificates" container. Certificates in Trusted Root Certification
Authorities or Internediate Certification Authorities may also be
expired so check to be sure the CA that issued youre cert, and any CSs
in the chain of trust, haven't expired.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
June 9th, 2011 9:41pm