Announcement

Collapse
No announcement yet.

Certificate is invalid for Exchange server usage

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate is invalid for Exchange server usage

    Firstly: not sure if this should be in Exchange but since it's causing me pain in Exchange this is my first port of call

    I had OWA, ActiveSync and Outlook Anywhere working on an Exchange 2010 box using a godaddy certificate and following their instructions to the letter.

    Users were getting an error locally when accessing the OAB about 'name in certificate'. Despite the certificate being a UCC with the local intranet name in it I followed kb940726 since I couldn't work out why it was not working, and changed the local intranet URL to be the same as the external URL.

    Following that I tested OWA and got 'the certificate has been revoked'. Within Exchange my certificate has a big red cross and says 'certificate is invalid for exchange server usage'

    Working with GoDaddy I re-keyed the certificate (as it's still current on GoDaddy) and reinstalled the intermediate and SSL certificate. This also shows as 'invalid for Exchange server usage'.

    Running get-exchangecertificate |fl and examining the certificate I get this (company and specific data changed):

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System.Security.AccessControl.CryptoKeyAccessR
    ule}
    CertificateDomains : {}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=.
    com/repository, O="GoDaddy Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter : 30/09/2013 3:50:47 p.m.
    NotBefore : 13/10/2010 11:07:27 a.m.
    PublicKeySize : 2048
    RootCAType : Unknown
    SerialNumber : xxxxxxxxxx
    Services : None
    Status : Invalid
    Subject :
    Thumbprint : SWIRLYPATTERNS

    What LEAPS out is the RootCAType: Unknown which suggests that the certificate path is buggered. However checking the certificate the path SEEMS fine. Thus my uncertainty as to whether this is the right forum. I suspect the chain to be the culprit but I also suspect that it's Exchange that can't see it properly.

    Any help would be very greatly appreciated as I'm totally stumped on this

  • #2
    Re: Certificate is invalid for Exchange server usage

    This issue has now been resolved and I hope this post helps people who may be having the same problem.

    It was resolved in the following way:

    GoDaddy tell you to DISABLE all purposes on the root certificate when you install the intermediate certificate.

    If you are experiencing this issue DO NOT DO THIS.

    Out of pure frustration I ENABLED all purposes on the root certificate and suddenly everything worked again.

    I have mailed GoDaddy to get them to check this out and change their documenttation for Exchange but that doesn't get my two days back

    Comment


    • #3
      Re: Certificate is invalid for Exchange server usage

      Just a warning, I believe you could possibly invalidate the cert by doing this.

      I would ask GoDaddy, but I do remember there being something that if it calls a inter cert, insted of a root cert, it will mark that cert as not valid.

      I can not find any documents to support this, but its screaming at me in my head (could also just be the voice that tells me to burn things :P)

      Wofen

      PS : Rep is given for posting the answer once you found it. Thank you.
      Last edited by Wofen; 13th October 2010, 03:46. Reason: Rep given
      Good to be back....

      Comment


      • #4
        Re: Certificate is invalid for Exchange server usage

        The disabling of the certificate is still valid, however you need to ensure that you disable the correct one and don't install the intermediates in the wrong place. The above two things are very common. It is also ONLY required on Windows 2008, not R2 or Windows 2003.
        I have installed 100s of the certificates, as I sell them, and as long as you do everything as per instructions it works fine.
        Sounds to me like a certificate was put in the wrong place, which can be a pain to remove correctly.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Certificate is invalid for Exchange server usage

          The certificates were definately installed in the right place and the correct (only) root one disabled (first one I have ever done so I was hyper vigilant about following the instructions) BUT it was R2 so I guess thats where the issue lied.

          Comment


          • #6
            Re: Certificate is invalid for Exchange server usage

            If you made the changes on R2, then that was probably the issue.

            It needs to be remembered that while Windows 2008 and Windows 2008 R2 share an almost similar name, unlike Windows 2003 and Windows 2003 R2, they are very different products. Care must be taken when you read something for Windows 2008 as it doesn't always mean it always applies to 2008 R2.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment

            Working...
            X