Hi.
I have installed Exchange 2019 for testing purposes.
I have purchased a domain name and a certificate.
After I installed it, the status shows: invalid.
Thank you.

Hi.
I have installed Exchange 2019 for testing purposes.
I have purchased a domain name and a certificate.
After I installed it, the status shows: invalid.
Thank you.

Like Andy mentioned above, if we get the invalid status for the certificate imported to Exchange server, we need to make sure the entire chain accessible.
Please use the command below in EMS to get the detailed information of the invalid certificate, you could share the results here, remember to clear your presonal information
Get-ExchangeCertificate -Thumbprint "XXXXXXX" | Format-List
Especially the RootCAType, I see some issue was caused by Unknown RootCA. Just like this thread discussed: Added new SSL cert - showing as "invalid"
Fix this issue and see how it looks
You need the Root CA certificate for this. Check it on the vendor website and get it. You have to import it to the certificate console by the following method
Launch a new Microsoft Management Console (Start -> Run, mmc.exe) and add the Certificates snap-in to it, connecting to the Computer Account for the Local Computer.
Navigate to Trusted Root Certification Authorities. Right-click on Certificates and choose All Tasks and then Import.
And if you have performed the operation correctly above, the status changed to "revocation check failed". Check if the CRL paths in the cerificate can be reached. The paths can be found by opening the certificate, click on Details, scroll to 'CRL Distribution Paths' Here you find a path
CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://xxx.com/xxx.crl
Then copy the URL en paste it in Internet Explorer. This path must be resolvable.
Refer to this link to get more information: Exchange 2013 - Trusted Certificate - Invalid
In addition, I would recommend you read the article here which introduces about the Exchange certificate include .local extention. It may not lead to the invalid issue, however it's not the suggested way. Even though it may have been possible for them to be issued an SSL certificate with .local names in it today, when that certificate expires it may not be possible to renew it.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @joyceshen-MSFT
ok, so first, I don't succeed with the first point Get-ExchangeCertificate -Thumbprint "XXXXXXX" | Format-List.
I have tried to run the command from the exchange server in powershell, but it does not find the certificate. I have replaced the "XXXXX" by the name of my certificate.
So for the second point, I have added the "ca_bundle.crt" in my trusted root certificate authorities, anf after that the status changed to "revocation check failed".
I have checked the CRL with my navigator, and the link resolves (it actually downloaded a crl file on my computer).
But the status still shows "revocation check failed".
after 30 min, the status finally changed to "valid".
Thank you.
I got a issues with my digicert certificate in my clicktests Windows software. Our ClickTest Software user complaint us related to our software.
Unauthorised software install in our system.
Clicktests software is not authorise
Unable to install software.
Official Website - https://www.clicktests.com/
I'm wondering if the issue couldn't come from the fact that I have used .local extension for the site and the exchange?
I did add belxchange.com as accepted domain though.
I haven't added anything.
those are 2 new VM's that I've just generated for this lab.
One Windows server 2019 for DC and one Server 2019 core for exchange.
Nothing else was added.
No, Im asking about the certificate path in the properties of the cert itself
If you access that tab does it show all the certs are installed locally and the intermediate cert is installed? ( If needed)
Does this server have access to the internet outbound? If not, the CRL check will fail
anonymous userDavid
Yes, I just realized that my GW was wrong but I have fixed it and the server has access.
Now, as explained in the comment up there, after having added the "ca_bundle.crt" in my trusted root certificate authorities, the status changed to "revocation check failed".
I have checked the CRL with my navigator, and the link resolves (it actually downloaded a crl file on my computer)
You mean to copy it here right?

Did you add any required intermediate certs to the intermediate store? I cant tell from your pics.
Whats listed under "certificate path" for that cert?
Ensure you have the full certificate chain installed.
You can download and test:
https://www.digicert.com/support/tools/certificate-utility-for-windows
What exact process did you use to create and install the certs? Was it all done with the Exchange Mgmt tools or EAC?
I have downloaded the program.
How do I exactly test the certificate?
Here is the result from the certificate decoder of sslshopper.com
I have generated a CSR and a private key, and sent the CSR to zerossl, and they have issued the certificate.
I have converted the CRT in PFX format and imported it in exchange.
When you tested it, did it have the entire certificate chain installed on the server?
Did you generate the CSR within Exchange?
It is accessible from the outside?
https://www.digicert.com/help/
enter the URL and test
it's not accessible right now because it's in a test la on one of my VM's.
I haven't redirected the right ports yet.
That's why I can't test it from outside.
10 people are following this question.