A certificate installed on an Exchange Server 2010 server may display the following error message.
The certificate is invalid for exchange server usage
This can occur when the certificate cannot be verified to a trusted certificate authority. This may occur when the certificate has been issued by a private certificate authority.
To correct the problem you must install the root certificate for the certificate authority. For a private certificate authority this can be obtained from the web enrollment page (eg http://ca-server/certsrv).
Browse to the web page and click on Download a CA Certificate, Certificate Chain, or CRL.
Click to download either the CA Certificate (if the certificate was issued by a root CA) or the Certificate Chain (if the certificate was issued by an intermediary CA).
Launch a new Microsoft Management Console (Start -> Run, mmc.exe) and add the Certificates snap-in to it, connecting to the Computer Account for the Local Computer.
Navigate to Trusted Root Certification Authorities. Right-click on Certificates and choose All Tasks and then Import.
Browse and choose the CA Certificate or Certificate Chain that you downloaded earlier.
Place the certificate in the Trusted Root Certification Authorities store.
Complete the import wizard and then refresh the Exchange Management Console, and the certificate should now be valid.
About Paul Cunningham
Thank you.
you are my hero.
I was having this problem in my lab for exchange 2010 and of course MS Book didn’t mention anything regarding having this problem, so I got it fixed using your instruction.
Thanks a bunch.
Hello Paul.
Thank you very much! You are really helped me! Cool!
Worked perfect.
I try this, but certificate is always invalid.
Exist any different reasons for this error?
Hi Tomm, what kind of certificate have you installed? Is it from a private CA, or a commercial CA?
Hi,
I’ve just had EMC showing the certificate being invalid. I used Enable-ExchangeCertificate to force the certificate to be used for IIS, and this allowed me to see the real issue. The certificate had been revoked due to a mis-communication with our certificate supplier.
New certificate being ordered!
Hello,
I try this, but certificate is always invalid.
I created with the “New Certificate” a certificate request, let it sign by a private root CA
and (Root CA certificate & Exchange), both imported certificates
any idea?
Thanks!
You can try using the Exchange Management Shell to assign it instead. See here:
http://blogs.technet.com/b/exchange/archive/2010/07/26/3410505.aspx
Thanks for quick response!
I have assigned with Exchange Management Shell:
—
CertificateDomains : {mobile.code.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : E=Root_CA@mobile.code.com, CN=Mobile code, OU=PRS, O=code, L=Berlin, S=Berlin, C=DE
NotAfter : 09.10.2017 11:24:01
NotBefore : 11.10.2011 11:24:01
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 0A
Services : IMAP, POP, IIS, SMTP
Status : Invalid
Subject : C=DE, S=Berlin, L=DE, O=code, OU=PRS, CN=mobile.code.com
Thumbprint : FCAA09B80451FB44AADBBF738ACBD5A42D6AE36
—
The root CA is also trusted but I still get the error message.
Thanks for quick response!
I have assigned with Exchange Management Shell:
—
CertificateDomains : {mobile.code.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : E=Root_CA@mobile.code.com, CN=Mobile code, OU=PRS, O=code, L=Berlin, S=Berlin, C=DE
NotAfter : 09.10.2017 11:24:01
NotBefore : 11.10.2011 11:24:01
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 0A
Services : IMAP, POP, IIS, SMTP
Status : Invalid
Subject : C=DE, S=Berlin, L=DE, O=code, OU=PRS, CN=mobile.code.com
Thumbprint : FCAA09B80451FB44AADBBF738ACBD5A42D6AE36
—
The root CA is also trusted but I still get the error message.
thanks heaps Paul, worked a treat!
Thx you
Thank you!! This fixed my problem!
How to solve it but with Third party certificate from DigiCert
Perfect. Thank you Paul .
Thank you paul this helped me as well – funny the smallest things you can rip your hair out
Addition:
Can also happen to certificates with an official root CA.
Then the Exchange server is not able to check the revocation of the cert.
Workaround:
Open cmd with elevated permissions (right click -> Run as Administrator)
netsh winhttp set proxy “;exeption;exeption”
Refresh EMC
Maybe need to restart Exchange Services
DING! All green!
Cheers,
Alex
Hi Paul,
I get exactly the same error message. I bought SSL certificate from godaddy.com. Can you please tell me where can I get the root certificate for godaddy? I don’t know what is this web enrollment page? what I understand is that there must be a web enrollment page for godaddy and I need to download Root cert for godaddy from there and install it on my servers somewhere?
Please help,
Many thanks,
The web enrollment page you see there only relates to a private CA. For a commercial CA such as Godaddy you’ll need to check their support pages or contact them to ask about any other required certificates you need to install to get your SSL certificate working.
Thanks Paul. I got it working, I had to install the intermidiate certificates from go daddy to get it working, Cheers!
Had this issue today when my root CA cert expired. Resolved this on the Exchange servers by doing a gpupdate /force, as the root CA is automatically pushed out and updated in GP.
This helped me, thanks!
Thank you Paul, I got it fix.