Export (0) Print
Expand All

Troubleshooting Certificate Validation Errors

Exchange 2010
 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

This topic explains how to resolve certificate validation errors or refers to documentation that may help you resolve the errors.

For more information about how the Microsoft Exchange Transport service selects certificates for Transport Layer Security (TLS), see the following topics:

This error is an informational status message. By default, the certificate that installed with Exchange Server 2010 is self-signed. It's generally a best practice to use certificates from trusted third-party certification authorities (CA).

For more information, see Using PKI on the Edge Transport Server for Domain Security.

This status message indicates that the domain name in either the subject name or subject alternative name fields of the certificate does not match the fully qualified domain name (FQDN) of the sender or receiver domain name. To correct this error, a new certificate that matches the FQDN of the Send connector or Receive connector that tried to validate this certificate must be created.

For more information, see Understanding TLS Certificates

This status message indicates that the Microsoft Exchange Transport service was unable to validate the certificate chain, or that the public key that was used to validate the certificate signature is not the correct key.

This status message indicates that the certificate that was used for this operation is not trusted by the computer certificate store. To trust this certificate, the root certification authority for the given certificate must be present in the certificate store for this computer.

For more information about how to manually add certificates to the local certificate store, see the Help file for the Certificate Manager snap-in in the Microsoft Management Console (MMC).

This status message indicates that you must enable the certificate for use in the current application. For example, if you're trying to use this certificate for Domain Security, the certificate must be enabled for SMTP.

For more information about how to enable certificates, see Enable-ExchangeCertificate.

Alternatively, this status message may indicate that the certificate that you're using doesn't have the correct data in the Enhanced Key Usage field. All certificates that are used for TLS must contain a Server Authentication object identifier (also known as OID). If you're trying to use a certificate for TLS that doesn't contain a Server Authentication OID in the Enhanced Key Usage Field, you must create a new certificate.

For more information, see Understanding TLS Certificates.

This status message indicates that the system time is incorrect, the certificate has expired, or the time of the system that signed the file is incorrect. Verify that the following conditions are true:

  • The local computer clock is accurate.
  • The certificate has not expired.
  • The sending system clock is accurate.

If the certificate has expired, you must generate a new certificate.

For more information, see Understanding TLS Certificates.

This status message indicates that the certificate chain is corrupted or otherwise unreliable. Generate a new certificate by using New-ExchangeCertificate cmdlet, or contact your certification authority to validate the certificate chain that was used for this certificate.

This status message indicates that the certificate is invalid because it was issued by an end-entity certificate and not a certification authority. An end-entity certificate is a certificate that has been created for specific application cryptographic usage. Generate a new certificate by using the New-ExchangeCertificate cmdlet, or contact your certification authority to validate the certificate.

Contact your certification authority to resolve this issue.

Contact your certification authority to resolve this issue.

This status message indicates that the revocation server for the certificate could not be reached. In some cases, this is a temporary error because the revocation server is malfunctioning. Otherwise, make sure that this computer can access the revocation server. If there is a firewall or proxy server in between this computer and the revocation server, make sure that your computer is configured to traverse the obstacle.

For more information, see Using PKI on the Edge Transport Server for Domain Security.

This status message indicates that the revocation process was interrupted by a general network failure. If there is a firewall or proxy server in between this computer and the revocation server, make sure that your computer is configured to traverse the obstacle.

For more information, see Using PKI on the Edge Transport Server for Domain Security.

 © 2010 Microsoft Corporation. All rights reserved.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft