Wednesday, October 5, 2011

The Certificate is Invalid for Exchange Server Usage

Recently I came across a problem while installing a new certificate on my Exchange 2010 server. Once I had installed the certificate via EMC (Exchange Management Console), I found out that I could not assign any services to it. In the status column for the certificate, there was an error displayed "The Certificate is Invalid For Exchange Server Usage".

I checked the certificate details to ensure everything was correct and superficially, everything looked fine. I checked the thread of trust, and it was correct as well. I then did some searching on the web and found this excellent article on the issue http://exchangeserverpro.com/exchange-server-2010-certificate-invalid-for-exchange-server-usage-error .

Unfortunately, my issue was not as easily solved as listed in the article above. So I decided to tackle the problem from its foundation.

1. I opened up the Certificate mmc.
2. Here I found the issue! For some unknown reason, my certificate's Intermediate CA and Root CA certificate were in the incorrect certificate store (they were in the Personal certificate store!).
3. I exported the Root CA and Intermediate CA certificates and then deleted them from the Personal Certificate Store.
4. I imported the Root CA into the Trusted Root Certificate Authority and the Intermediate CA certificate into the Intermediate Certificate Authorities certificate Store.

I then refreshed the EMC and viola, the message beside the Certificate now read The Certificate is valid for Exchange Server usage :)

3 comments:

Leon4 said...

i dont get it work. :(

Nivlesh Chandra said...

Have you tried the steps above? Do you have any more info about your problem?

Dimitri Goossens said...

Hello Nivlesh
I'm experiencing the same problem.
In our case the path is correct too, and the certificate appears as valid when opened in the EMC.
(I did had to add the intermediate certificate first)

In the meantime I already rebooted the server, but the certificate still appears as valid.

I'm using a globalsign wildcard certificate.

Something strange is that when I open the certificate (general tab) it doesn't say :
Ensures the identity of a remote computer
Proves your identity to a remote computer

Here I only see some sort of id's (numbers with dots inbetween).

When I perform a get-exchangecertificate | fl I see this entry in the results :
RootCAType : Unknown

Don't know why this is shown (on other servers with a wildcard cert installed I receive :
RootCAType : ThirdParty