An Outlook certificate error is a common problem for Exchange Server admins that can open the floodgates for a...
torrent of help desk tickets. It starts when the users open Outlook and get a message about a certificate error instead of their inbox. In most cases, users can click through the message and get on with their day, but there are more serious certificate errors that can cause trouble with the out of office assistant and free/busy information.
There are several problems that can cause Outlook to display a certificate error, but the three most common causes are:
- An invalid subject name or Subject Alternate Name (SAN) within the certificate;
- The certificate has expired; and
- The certificate is not trusted by the client computer.
Uncover invalid certificate names
An invalid certificate name error can occur if the subject name or SAN does not match the URL that Exchange uses. Most often, this issue happens either if there is a certificate misconfiguration or if there is a setup problem with the domain name system record for the Exchange Autodiscover service.
Outlook has a two-step process to locate the Autodiscover service for an organization's Exchange Server deployment. First, it looks for the Autodiscover URL within the service connection point. Then, Outlook seeks a Host (A) record that matches the URL specified by the service connection point object.
This process will fail if the user does not use an internal connection. In that case, Outlook looks for an A record that matches the user's Simple Mail Transfer Protocol (SMTP) domain. If that doesn't work, Outlook will attach Autodiscover to the user's SMTP domain name -- Autodiscover.<domain name>.com -- and then try to locate a matching A record.
If Outlook still can't find a suitable A record, then it will use a service record (SRV) to locate the Autodiscover service. Outlook may locate the Autodiscover service through either an A record or an SRV. Check these records for proper configuration. There are a few ways to do this, but it is usually best to open a command prompt on the machine that runs the Outlook client. Next, enter these commands:
This sequence will display the name server being queried, the Autodiscover URL and the Autodiscover IP address.
Now, open the Exchange Management Shell and enter the following command:
Get-ExchangeCertificate | Select-Object *
This command lists the certificates on the server and displays the attributes for each certificate, such as the certificate's friendly name, subject name, enhanced key usage and services. Administrators can use this information to determine which certificate the Autodiscover service uses and whether they need to reissue a certificate to correct a mismatch.
Check for expired certificates
An Outlook certificate error can occur if a certificate has expired. Open the server's certificate store and check the certificate's expiration date. Certificates usually reside in the Certificates Console at Certificates>Personal>Certificates. Double-click on the certificate to view its expiration date (Figure B). If the certificate has expired, renew it.
Alternatively, admins can check for expired certificates with the following command in the Exchange Management Shell:
Get-ExchangeCertificate | Select-Object Subject, NotAfter
Correct untrusted certificates
Another potential cause of an Outlook certificate error is the PC that runs Outlook does not trust the certificate authority. This shouldn't be an issue if the certificate came from a well-known, commercial certificate authority. However, some organizations use an in-house enterprise certificate authority.
Windows servers configured to act as an enterprise certificate authority usually include a built-in web server to issue certificate requests. This same web server also contains an option to download a Certificate Authority (CA) certificate (Figure D).
Admins can import this CA certificate into the client computer's Trusted Root Certification Authorities store (Figure E). This allows the computer to trust the certificate authority that issued the certificate.
It takes quite a bit of work to correct an Outlook certificate error. In most cases, the error occurs because the certificate's subject or subject alternate name is incorrect. In these cases, replacing the certificate should fix the problem.
Exchange hybrid deployment considerations
Protect email servers on Exchange and Office 365
How to resolve inbound mail flow issues