Exchange Invalid Certificate

Digital Certificate

Problem – Exchange Invalid Certificate

After installing a new Exchange Certificate to replace the self signed one it appears as Invalid in the Exchange Administration Center web interface

Exchange Invalid Certificate

If you issue the Get-ExchangeCertificate command from the Exchange Management Shell it will display the following Output

Get-ExchangeCertificate | Select Subject, Status, IsSelfSigned| Format-Table -AutoSize

Subject                                                               Status IsSelfSigned
-------                                                               ------ ------------
CN=mail.mcse.lab, OU=IT, O=HeloCheck MCSE Labs, L=Zurich, S=CH, C=CH Invalid        False
CN=Microsoft Exchange Server Auth Certificate                          Valid         True
CN=SZHV-EXM01                                                          Valid         True
CN=WMSvc-SZHV-EXM01                                                    Valid         True

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: If Exchange marks a certificate as invalid you will not be able to use it for any of the configured services. [/su_note]

Exchange Invalid Certificate – Verify Trusted Root Certificate Authority

This behavior usually happens when you install a certificate which has been issued by a Certificate Authority which is not among the Trusted Root Certification Authorities.

If you deployed an internal Certificate Authority to issue certificates for internal servers and services probably its root certificate is not among the Trusted Root Certification Authorities store on your server.

[su_spoiler title=”GUI Method”]

Create a new MMC and add the Certificates snap-in for the Computer Account

Exchange Invalid Certificate - Certificate MMcIn the Certificates MMC navigate to Certificates → Trusted Root Certification Authorities → Certificates and verify that the Certification Authority that issued the Exchange Certificate is in the list [/su_spoiler]

[su_spoiler title=”PowerShell Method”]

You can check the list of Trusted root Certification Authorities via PowerShell with the following command

Get-Childitem cert:LocalMachineroot -Recurse |Select-Object Issuer |Format-Table -AutoSize

Issuer
------
CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA
CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.
CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
CN=WMSvc-SZHV-EXM01
CN=SZHV-EXM01

[/su_spoiler]

Exchange Invalid Certificate – Install Certification Authority Chain

If the root certificate for the issuer is not in the Trusted Root Certification Authorities list you can download the CA Chain file from the certificate vendor if the certificate has been issued by a Certificate Authority installed internally you need to download the CA Chain file from the Web Enrollment website.

Open a browser page and navigate to https:///CertSrv and click on the Download a CA certificate, certificate chain, or CRL link clicking Yes in the Warning window that will appearExchange Invalid Certificate - CA Chain

Exchange Invalid Certificate - CA Chain Warning

You will need to download both the CA Chain and CA Certificate files clicking on respective links and saving files in a convenient location

Exchange Invalid Certificate - CA Chain Download

To install the files right-click on them and select Install Certificate following the wizard to install the files in the local certificate store

Exchange Invalid Certificate - CA Chain Install

Exchange Invalid Certificate - CA Chain Store Installation

If you check again the Exchange certificates now the certificate will be recognized as valid and it will be possible to use it to protect the various CAS Services

Get-ExchangeCertificate | Select Subject, Status, IsSelfSigned| Format-Table -AutoSize

Subject                                                              Status IsSelfSigned
-------                                                              ------ ------------
CN=mail.mcse.lab, OU=IT, O=HeloCheck MCSE Labs, L=Zurich, S=CH, C=CH  Valid        False
CN=Microsoft Exchange Server Auth Certificate                         Valid         True
CN=SZHV-EXM01                                                         Valid         True
CN=WMSvc-SZHV-EXM01                                                   Valid         True
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s