Problem – Exchange Invalid Certificate
After installing a new Exchange Certificate to replace the self signed one it appears as Invalid in the Exchange Administration Center web interface
If you issue the Get-ExchangeCertificate command from the Exchange Management Shell it will display the following Output
Get-ExchangeCertificate | Select Subject, Status, IsSelfSigned| Format-Table -AutoSize Subject Status IsSelfSigned ------- ------ ------------ CN=mail.mcse.lab, OU=IT, O=HeloCheck MCSE Labs, L=Zurich, S=CH, C=CH Invalid False CN=Microsoft Exchange Server Auth Certificate Valid True CN=SZHV-EXM01 Valid True CN=WMSvc-SZHV-EXM01 Valid True
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: If Exchange marks a certificate as invalid you will not be able to use it for any of the configured services. [/su_note]
Exchange Invalid Certificate – Verify Trusted Root Certificate Authority
This behavior usually happens when you install a certificate which has been issued by a Certificate Authority which is not among the Trusted Root Certification Authorities.
If you deployed an internal Certificate Authority to issue certificates for internal servers and services probably its root certificate is not among the Trusted Root Certification Authorities store on your server.
[su_spoiler title=”GUI Method”]
Create a new MMC and add the Certificates snap-in for the Computer Account
In the Certificates MMC navigate to Certificates → Trusted Root Certification Authorities → Certificates and verify that the Certification Authority that issued the Exchange Certificate is in the list [/su_spoiler]
[su_spoiler title=”PowerShell Method”]
You can check the list of Trusted root Certification Authorities via PowerShell with the following command
Get-Childitem cert:LocalMachineroot -Recurse |Select-Object Issuer |Format-Table -AutoSize Issuer ------ CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp. CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US CN=WMSvc-SZHV-EXM01 CN=SZHV-EXM01
Exchange Invalid Certificate – Install Certification Authority Chain
If the root certificate for the issuer is not in the Trusted Root Certification Authorities list you can download the CA Chain file from the certificate vendor if the certificate has been issued by a Certificate Authority installed internally you need to download the CA Chain file from the Web Enrollment website.
Open a browser page and navigate to https:///CertSrv and click on the Download a CA certificate, certificate chain, or CRL link clicking Yes in the Warning window that will appear
You will need to download both the CA Chain and CA Certificate files clicking on respective links and saving files in a convenient location
To install the files right-click on them and select Install Certificate following the wizard to install the files in the local certificate store
If you check again the Exchange certificates now the certificate will be recognized as valid and it will be possible to use it to protect the various CAS Services
Get-ExchangeCertificate | Select Subject, Status, IsSelfSigned| Format-Table -AutoSize Subject Status IsSelfSigned ------- ------ ------------ CN=mail.mcse.lab, OU=IT, O=HeloCheck MCSE Labs, L=Zurich, S=CH, C=CH Valid False CN=Microsoft Exchange Server Auth Certificate Valid True CN=SZHV-EXM01 Valid True CN=WMSvc-SZHV-EXM01 Valid True