No announcement yet.

Invalid Digital Signature

  • Filter
  • Time
  • Show
Clear All
new posts

  • Invalid Digital Signature

    I am not sure if this is an Exchange, Outlook, Or Certificate Authority Issue.

    We have a 2003 box that has exchange 2007 installed.

    Our ssl digital signature that hosts our OWA site just expired. I renewed it. Now whenever outlook tries to connect to exchange, via RPC over HTTP, it tells me the digital signature is invalid, as if it was modified or compromised. The Root Certificate is deemed valid but it seems like any child certificate it publishes has an invalid signature on my computer. This has caused Internet Explorer and Outlook to not connect.

    Though I don't have outlook installed on our exchange server, I can connect to the webmail via internet explorer just fine on the server and other computers. Just not mine... ideas?

  • #2
    Re: Invalid Digital Signature

    The certificate should be a UC Or SAN certificate with subject alternative names to support autodiscover. Do you have this?

    Can you open OWA without warnings?



    • #3
      Re: Invalid Digital Signature

      you need a SAN or UC certificate for exchange 2007, it needs:

      Internal Server FQDN
      External OWA Address domain e.g. (if you want to use that)

      If you use a 3rd party one which is not trusted with the web browsers by default, you need to install the root certificate on each workstation to trust it.

      Please confirm how your current ssl is set up.


      • #4
        Re: Invalid Digital Signature

        Thank you all for your replies, so here's the info and my research.

        The certificate should be a UC Or SAN certificate with subject alternative names to support autodiscover. Do you have this?
        I had NO idea you could use a certificate for more than one common name... My certificate was always figuring it would be universally supportive. I always obtained my web certificates using the IIS wizard and never had an issue in the past.

        Please confirm how your current ssl is set up.
        Yes I do install the root certificate in the trusted root authority folder, that is the only way Exchange RPC over HTTP will work.

        When I have the root certificate installed on my computer:
        Internet explorer will not connect to OWA, it gives me a page error as if it was not even connected to the internet. That means I get no 404, no server response. I suspect this is because the digital certificate does not fall under the 3 most issues of, no trusted root, expiration, or wrong common name.

        Outlook actually gives me an error message of code 2, see here, which indicate a bad certificate. I am given 1 more prompt and the ability to view the certificate. When I view it, I see the root certificate as OK, but the child certificate, the web certificate, says digital signature invalid.
        For experimenting, I removed the Root Certificate from my computer, and viola (?) internet explorer can connect to OWA but it gives me the error that it can't verify the certificate because it doesn't know the root authority.

        Outlook still can't connect to Exchange RPC over HTTP because it doesn't have the root certificate installed, but now gives me error code 8 again see here,, which means it doesn't know the root authority.
        Upon re-adding the root authority certificate again, the problem in its entirety returns.

        I am stumped...
        Last edited by homeshark; 12th November 2009, 17:39. Reason: added info


        • #5
          Re: Invalid Digital Signature


          I still have not found a solution to the issue. Ideas?


          • #6
            Re: Invalid Digital Signature

            I would redo the whole certification process while following the guidelines given by Microsoft. This means:

            1. Create a new certificate request while using new-exchangecertificate cmdlet, make sure to include the host name and FQDN as alternate names.
            2. Proceed the certifcate request to your PKI using the web interface (https://%servername%/certserv)
            3. Import the certificate into your Exchange box using import-exchangecertificate cmdlet.
            4. Activate the certificate for the appropriate services using enable-echangecertificate -services

            See attached links for further information


            • #7
              Re: Invalid Digital Signature

              I resolved the issue... and it was a very easy fix.

              The issue was that there was an "Invalid Digital Signature". This means that the private key and the public key were not mathematically correct.

              Digging deeper I turned to the Root CA and found the answer. 2 years ago I made the foolish mistake of right clicking on the CA and clicking “Renew CA Cert” This renewed the root CA certificate. My computer(s) were still using the first, original, root CA certificate.

              My website was using an SSL certificate that was signed by the original root CA certificate. Once the IIS certificate expired and I renewed it, it was signed by the new root CA certificate not the old one. Hence the invalid digital signature.

              To resolve the issue overall,
              I right clicked on my CA through the Certificate Authority and select Properties
              Make sure you are on the General Tab
              Click “View Certificate” on the latest certificate.
              Export it by clicking “Copy to File”.
              Export it as a CER file and then rename to CRT
              Import the CRT file into the Root Certificate Authority store on everyone’s computer.

              Viola! The certificates are now deemed valid

              I hope this helps anyone in the future that has the issue