Exchange/Outlook: A security certificate has expired or is not yet valid

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

A self-signed Microsoft Exchange 2007 Security Certificate is valid for a period of one year. After this period you’re required to re-issue a new certificate. This can be done using EMS (Exchange Management Shell) and the New-ExchangeCertificate CommandLet (cmdlet).

If you do not update / reissue the certificate, Outlook will complain about this issue displaying a Security Warning on the users display (this one’s in German).

Outlook_SecurityWarning Certificate not valid

Outlook_SecurityWarning Certificate not valid

Step-by-step (quick tutorial):

  1. Open a EMS (Exchange Management Shell). On Windows 2008 Server you should do this ‘elevated’ / run as admin.
  2. Check your existing Exchange Certificate using Get-ExchangeCertificate cmdlet

    Get-ExchangeCertificate

    Get-ExchangeCertificate

  3. Check the values ‘NotAfter’ and ‘NotBefore’. These values show you the validity period for the certificate. Note down the value ‘Thumbprint’ – this value identifies the certificate. We need that value a later step.
  4. Now create a new Exchange Certificate using the New-ExchangeCertificate cmdlet.

    New-ExchangeCertificate

    New-ExchangeCertificate

  5. Now you have to enable the new generated certificate using ‘Enable-ExchangeCertificate’ cmdlet. To do this, you need to specify the ThumbPrint of the certificate and the desired Services. In this illustration we enable the certificate for IMAP, POP, IIS and SMTP.

    Enable-ExchangeCertificate

    Enable-ExchangeCertificate

  6. Now it’s time to clean up. Using Remove-ExchangeCertificate you can remove the old and expired Exchange Certificate. As mentioned in Step 2 / 3 you now need the ThumbPrint value of the old certificate to successfully execute this cmdlet

    Remove-ExchangeCertificate

    Remove-ExchangeCertificate

Other cmdlets that relate to this issue are:

Import-ExchangeCertificate
Export-ExchangeCertificate

Now you’re done. If you have any suggestions, corrections or additions, feel free to write a comment.

4 thoughts on “Exchange/Outlook: A security certificate has expired or is not yet valid

  1. Thank you for this article. It saved me a lot of digging through Microsoft documentation. It was very ready to do and only took me a few minutes. You would think you could modify the date range to more than one year. Let me know if you have a quick fix for that too. Thanks again!

  2. Thank you very much for posting this! On the security alert I now have two green ticks but one is outstanding. Just wondered if you’re able to assist or post some information for myself and others who are in the same pickle. ‘The security certificate was issued by a company you have not chosen to trust’ is the error and the last red cross. Thanks again.

  3. If you’re getting the “The security certificate was issued by a company you have not chosen to trust” error in Outlook, the self-signed certificate that was created isn’t trusted on your server. Just do this:
    – Launch MMC;
    – Add the Certificates snap-in for the local computer;
    – Expand Certificates (on Local Computer);
    – Expand Personal;
    – Click the Certificates folder;
    – Right click on the self-signed certificate (the one that’s used with Exchange) and click Copy;
    – Expand Trusted Root Certification Authorities;
    – Right click the Certificates folder (under Trusted Root…) and click Paste.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.