Shulou(Shulou.com)06/02 Report--

Recently, through collection, sorted out some problems of outlook client bullet certificate warning, and shared them with you.

Error one:

The certificate has expired or is not yet valid

Troubleshooting steps

We can check the validity period of the certificate in two ways:

a. On the Outlook client, check whether the certificate is valid by clicking "View Certificate":

b. On the server side, use the following command to view:

Get-ExchangeCertificate | fl Subject,NotBefore,NotAfter,Services

This problem is usually caused by the expiration of the certificate. In this case, you can Renew the certificate in ECP/EMC and reassign the service.

Error 2:

The company that issued the security certificate is not a company you trust. Please check the certificate to determine whether you want to trust the security certificate verification authority

Troubleshooting steps

The pop-up window of this certificate usually appears because the self-signed certificate or internal CA certificate is accessed from the public network. You can check from ECP whether the certificate is self-issued or issued by an internal CA.

Troubleshooting and solutions are as follows:

a. Using self-signed certificate

i. Click "View Certificate" to import the certificate into the root trust directory of the current computer:

ii. Use a certificate issued by an internal CA, or purchase a three-party certificate instead of an existing self-signed certificate. (if the problem still occurs with the internal CA certificate, you can manually import the certificate as shown above)

b. Access on the public network using a certificate issued by the internal CA:

i. Manually import the internal CA certificate into the local root trust directory

ii. Apply for a three-party certificate to replace the existing internal CA certificate

Error 3:

The name on the security certificate is invalid or does not match the name of the website

Troubleshooting steps

This error is due to the difference between the SAN contained in the certificate being used and the URL that Outlook is trying to access.

You can view it in two ways:

a. Directly click "View Certificate" to check this parameter "Subject Alternative Name"

b. Use the command line to view

i. On the server side, use the following command to view the domain names contained in the certificate:

Get-ExchangeCertificate | fl Subject,CertificateDomains,Services

ii. Use the following command to view the URL used by each service of the server

Services used by the Outlook side:

Get-OutlookAnywhere | Select Server,InternalHostName,ExternalHostName

Get-MAPIVirtualDirectory | Select Server,InternalURL,ExternalURL

Get-OABVirtualDirectory | Select Server,InternalURL,ExternalURL

Get-WebServicesVirtualDirectory | Select Server,InternalURL,ExternalURL

Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalUri

Other services (web + mobile + Powershell):

Get-OWAVirtualDirectory | Select Server, InternalURL,ExternalURL

Get-ECPVirtualDirectory | Select Server,InternalURL,ExternalURL

Get-ActiveSyncVirtualDirectory | Select Server,InternalURL,ExternalURL

Get-PowerShellVirtualDirectory | Select Server,InternalURL,ExternalURL

Solution (choose one of the two):

Use a command similar to the following to modify the virtual directory of each service so that its URL is the same as the record in the certificate. (ensure that the modified URL can be parsed successfully)

Set-OABVirtualDirectory-Identity "Server1\ OAB (Default Web Site)"-ExternalUrl "https://E13.domain.com/OAB" re-apply for a certificate to ensure that the correct record is included.

The following are additional considerations when applying certificates:

Certificates are server-based, so when there are multiple Exchange servers (installed in roles) in the environment, you usually need to import the certificate to another server after installing or updating the certificate for one server.

When the IIS service is assigned to a new certificate, you need to run IISReset in CMD with administrator privileges to force an update of the IIS service.

The service on this certificate needs to be assigned to another certificate before the certificate can be deleted successfully.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.