Exchange/Outlook: A security certificate has expired or is not yet valid
A self-signed Microsoft Exchange 2007 Security Certificate is valid for a period of one year. After this period you’re required to re-issue a new certificate. This can be done using EMS (Exchange Management Shell) and the New-ExchangeCertificate CommandLet (cmdlet).
If you do not update / reissue the certificate, Outlook will complain about this issue displaying a Security Warning on the users display (this one’s in German).
Outlook_SecurityWarning Certificate not valid
Step-by-step (quick tutorial):
- Open a EMS (Exchange Management Shell). On Windows 2008 Server you should do this ‘elevated’ / run as admin.
- Check your existing Exchange Certificate using Get-ExchangeCertificate cmdlet
Get-ExchangeCertificate
- Check the values ‘NotAfter’ and ‘NotBefore’. These values show you the validity period for the certificate. Note down the value ‘Thumbprint’ – this value identifies the certificate. We need that value a later step.
- Now create a new Exchange Certificate using the New-ExchangeCertificate cmdlet.
New-ExchangeCertificate
- Now you have to enable the new generated certificate using ‘Enable-ExchangeCertificate’ cmdlet. To do this, you need to specify the ThumbPrint of the certificate and the desired Services. In this illustration we enable the certificate for IMAP, POP, IIS and SMTP.
Enable-ExchangeCertificate
- Now it’s time to clean up. Using Remove-ExchangeCertificate you can remove the old and expired Exchange Certificate. As mentioned in Step 2 / 3 you now need the ThumbPrint value of the old certificate to successfully execute this cmdlet
Remove-ExchangeCertificate
Other cmdlets that relate to this issue are:
Import-ExchangeCertificate
Export-ExchangeCertificate
Now you’re done. If you have any suggestions, corrections or additions, feel free to write a comment.
Thank you for this article. It saved me a lot of digging through Microsoft documentation. It was very ready to do and only took me a few minutes. You would think you could modify the date range to more than one year. Let me know if you have a quick fix for that too. Thanks again!
Thank you very much for posting this! On the security alert I now have two green ticks but one is outstanding. Just wondered if you’re able to assist or post some information for myself and others who are in the same pickle. ‘The security certificate was issued by a company you have not chosen to trust’ is the error and the last red cross. Thanks again.
Thanks a lot!
Very useful and very clear explanations. Did the job perfectly.
If you’re getting the “The security certificate was issued by a company you have not chosen to trust” error in Outlook, the self-signed certificate that was created isn’t trusted on your server. Just do this:
– Launch MMC;
– Add the Certificates snap-in for the local computer;
– Expand Certificates (on Local Computer);
– Expand Personal;
– Click the Certificates folder;
– Right click on the self-signed certificate (the one that’s used with Exchange) and click Copy;
– Expand Trusted Root Certification Authorities;
– Right click the Certificates folder (under Trusted Root…) and click Paste.