Tuesday, October 28, 2014

Exchange 2010 - The certificate is invalid for Exchange Server usage

After attempting to open OWA I received a lovely message about the certificate being invalid today.  Huh?  That can't be right.  Unfortunately we don't utilize OWA very often, so the error had gone unnoticed for a long period of time.


First things first, look at the cert. 
  • Certificate path is fine
  • Still within the valid date timeframe
  • SAN cert and all the DNS names look fine
  • As far as the certificates MMC all is swell.
But Exchange still shows "The certificate is invalid for Exchange Server usage"
After some browsing on the old google I find lots about this when the cert path is wrong.  So I play around with the intermediate / roots, but feel pretty confident that it's correct (and the cert is showing the path valid).


Finally, I assign the Exchange roles to the self signed cert, delete the third party cert, and reimport it.  Same error, but now I of course can't assign the roles back to it because it's invalid.  So, of course after a few minutes people get a popup about the self signed cert.  Doh.  No problem though.  We can force that with the shell.
  • Get-ExchangeCertificate | fl
  • Find the cert wanted and get it's Thumbprint
  • Enable-ExchangeCertificate -Thumbprint [thumbprintfromabove] -Services "SMTP,IIS"  (we don't use POP or IMAP)
Okay, at least now we're back where we had been, but what's going on.


Opening up the shell I do a Get-ExchangeCertificate -Thumbprint thumbprint## | fl.  It shows a RootCAType of unknown.  Eh?  That's definitely not right.


I pull up https://www.digicert.com/help/ and do a cert check.  Uhm, pretty sure it shouldn't say "SSL Certificate is revoked".  Yikes!


After some more head scratching I recall that with the latest project that I'm working with in my off hours (Exchange 2013) I had rekeyed the cert.  Of course when I rekeyed the cert I did import the new cert onto the old Exchange 2010 box, so that shouldn't be the issue.


So, I look at the new Exchange 2013 box cert and compare it's Serial Number to the one on the Exchange 2010.  They should be the same, but what the heck they are not!  Somewhere in the process I messed up the import into the 2010 box. (and I know I did the import, I logged it in our tickets with the steps)


Export the cert again from Exchange 2013, quick import into 2010, reassign the roles and all is happy!


So:
  1. Exchange doesn't specifically complain that the cert is revoked.  It just states it's invalid.
  2. If I had paid more attention to the OWA error I would have seen that it specifically said "The organizations certificate has been revoked" and it was correct.
  3. The certificates snap-in mmc doesn't, as far as I can tell, show when a cert has been revoked.
  4. Certificates can be dang confusing, double check that you've got the right one (serial number seems to be a good way).

No comments:

Post a Comment