question

AlainBensimon-7109 avatar image
0 Votes"
AlainBensimon-7109 asked ClickTests-1166 answered

Certificate invalid in Exchange 2019

Hi.
I have installed Exchange 2019 for testing purposes.
I have purchased a domain name and a certificate.
After I installed it, the status shows: invalid.
Thank you.

111679-110627-image.png


office-exchange-server-administration
image.png (50.3 KiB)
110627-image.png (32.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ok,Im not familiar with this cert authority, but I would copy that cert to the "Trusted Root Certificate Authorities" containers, refresh EAC and see if it shows as valid

110697-image.png


1 Vote 1 ·
image.png (40.3 KiB)
joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered AlainBensimon-7109 commented

Hi @AlainBensimon-7109

Like Andy mentioned above, if we get the invalid status for the certificate imported to Exchange server, we need to make sure the entire chain accessible.

Please use the command below in EMS to get the detailed information of the invalid certificate, you could share the results here, remember to clear your presonal information

 Get-ExchangeCertificate -Thumbprint "XXXXXXX" | Format-List

Especially the RootCAType, I see some issue was caused by Unknown RootCA. Just like this thread discussed: Added new SSL cert - showing as "invalid"

Fix this issue and see how it looks

You need the Root CA certificate for this. Check it on the vendor website and get it. You have to import it to the certificate console by the following method
Launch a new Microsoft Management Console (Start -> Run, mmc.exe) and add the Certificates snap-in to it, connecting to the Computer Account for the Local Computer.
Navigate to Trusted Root Certification Authorities. Right-click on Certificates and choose All Tasks and then Import.

And if you have performed the operation correctly above, the status changed to "revocation check failed". Check if the CRL paths in the cerificate can be reached. The paths can be found by opening the certificate, click on Details, scroll to 'CRL Distribution Paths' Here you find a path

CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://xxx.com/xxx.crl

Then copy the URL en paste it in Internet Explorer. This path must be resolvable.

Refer to this link to get more information: Exchange 2013 - Trusted Certificate - Invalid

In addition, I would recommend you read the article here which introduces about the Exchange certificate include .local extention. It may not lead to the invalid issue, however it's not the suggested way. Even though it may have been possible for them to be issued an SSL certificate with .local names in it today, when that certificate expires it may not be possible to renew it.

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @joyceshen-MSFT
ok, so first, I don't succeed with the first point Get-ExchangeCertificate -Thumbprint "XXXXXXX" | Format-List.
I have tried to run the command from the exchange server in powershell, but it does not find the certificate. I have replaced the "XXXXX" by the name of my certificate.

So for the second point, I have added the "ca_bundle.crt" in my trusted root certificate authorities, anf after that the status changed to "revocation check failed".
I have checked the CRL with my navigator, and the link resolves (it actually downloaded a crl file on my computer).

But the status still shows "revocation check failed".

0 Votes 0 ·

after 30 min, the status finally changed to "valid".
Thank you.

0 Votes 0 ·
ClickTests-1166 avatar image
0 Votes"
ClickTests-1166 answered

I got a issues with my digicert certificate in my clicktests Windows software. Our ClickTest Software user complaint us related to our software.

  1. Unauthorised software install in our system.

  2. Clicktests software is not authorise

  3. Unable to install software.

Official Website - https://www.clicktests.com/


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlainBensimon-7109 avatar image
0 Votes"
AlainBensimon-7109 answered

I'm wondering if the issue couldn't come from the fact that I have used .local extension for the site and the exchange?
I did add belxchange.com as accepted domain though.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlainBensimon-7109 avatar image
0 Votes"
AlainBensimon-7109 answered AndyDavid commented

I haven't added anything.
those are 2 new VM's that I've just generated for this lab.
One Windows server 2019 for DC and one Server 2019 core for exchange.
Nothing else was added.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, Im asking about the certificate path in the properties of the cert itself
If you access that tab does it show all the certs are installed locally and the intermediate cert is installed? ( If needed)

0 Votes 0 ·

anonymous userDavid
Yes, I just realized that my GW was wrong but I have fixed it and the server has access.
Now, as explained in the comment up there, after having added the "ca_bundle.crt" in my trusted root certificate authorities, the status changed to "revocation check failed".
I have checked the CRL with my navigator, and the link resolves (it actually downloaded a crl file on my computer)

0 Votes 0 ·
AlainBensimon-7109 avatar image
0 Votes"
AlainBensimon-7109 answered AndyDavid commented

You mean to copy it here right?

110676-image.png



image.png (130.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes and the third party root root as well if necessary

0 Votes 0 ·

I tried, but it didn't help

0 Votes 0 ·

Did you add any required intermediate certs to the intermediate store? I cant tell from your pics.
Whats listed under "certificate path" for that cert?

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AlainBensimon-7109 commented

Ensure you have the full certificate chain installed.
You can download and test:
https://www.digicert.com/support/tools/certificate-utility-for-windows

What exact process did you use to create and install the certs? Was it all done with the Exchange Mgmt tools or EAC?

· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have downloaded the program.
How do I exactly test the certificate?
Here is the result from the certificate decoder of sslshopper.com
110518-image.png

I have generated a CSR and a private key, and sent the CSR to zerossl, and they have issued the certificate.
I have converted the CRT in PFX format and imported it in exchange.


0 Votes 0 ·
image.png (105.0 KiB)

When you tested it, did it have the entire certificate chain installed on the server?
Did you generate the CSR within Exchange?


It is accessible from the outside?

https://www.digicert.com/help/


enter the URL and test

0 Votes 0 ·

it's not accessible right now because it's in a test la on one of my VM's.
I haven't redirected the right ports yet.
That's why I can't test it from outside.

0 Votes 0 ·
Show more comments