Andrea Danti - Fotolia


Stop an Outlook certificate error before serious trouble erupts

Users often dismiss Outlook certificate errors, but admins should know better. Here are some steps to address the three common causes of certificate errors.

An Outlook certificate error is a common problem for Exchange Server admins that can open the floodgates for a...

torrent of help desk tickets. It starts when the users open Outlook and get a message about a certificate error instead of their inbox. In most cases, users can click through the message and get on with their day, but there are more serious certificate errors that can cause trouble with the out of office assistant and free/busy information.

There are several problems that can cause Outlook to display a certificate error, but the three most common causes are:

  • An invalid subject name or Subject Alternate Name (SAN) within the certificate;
  • The certificate has expired; and
  • The certificate is not trusted by the client computer.

Uncover invalid certificate names

An invalid certificate name error can occur if the subject name or SAN does not match the URL that Exchange uses. Most often, this issue happens either if there is a certificate misconfiguration or if there is a setup problem with the domain name system record for the Exchange Autodiscover service.

Outlook has a two-step process to locate the Autodiscover service for an organization's Exchange Server deployment. First, it looks for the Autodiscover URL within the service connection point. Then, Outlook seeks a Host (A) record that matches the URL specified by the service connection point object.

This process will fail if the user does not use an internal connection. In that case, Outlook looks for an A record that matches the user's Simple Mail Transfer Protocol (SMTP) domain. If that doesn't work, Outlook will attach Autodiscover to the user's SMTP domain name -- Autodiscover.<domain name>.com -- and then try to locate a matching A record.

If Outlook still can't find a suitable A record, then it will use a service record (SRV) to locate the Autodiscover service. Outlook may locate the Autodiscover service through either an A record or an SRV. Check these records for proper configuration. There are a few ways to do this, but it is usually best to open a command prompt on the machine that runs the Outlook client. Next, enter these commands:




Set type=A

Autodiscover.<your domain>.com

Set type=SRV

_Autodiscover._tcp.<your domain>.com

This sequence will display the name server being queried, the Autodiscover URL and the Autodiscover IP address.

Now, open the Exchange Management Shell and enter the following command:

Get-ExchangeCertificate | Select-Object *

This command lists the certificates on the server and displays the attributes for each certificate, such as the certificate's friendly name, subject name, enhanced key usage and services. Administrators can use this information to determine which certificate the Autodiscover service uses and whether they need to reissue a certificate to correct a mismatch.

Get-ExchangeCertificate command
Figure A: The Get-ExchangeCertificate command lists certificate details on the Exchange Server.

Check for expired certificates

An Outlook certificate error can occur if a certificate has expired. Open the server's certificate store and check the certificate's expiration date. Certificates usually reside in the Certificates Console at Certificates>Personal>Certificates. Double-click on the certificate to view its expiration date (Figure B). If the certificate has expired, renew it.

Certificate expiration date
Figure B: In the server's certificate store, double-click on the certificate to check its expiration date.

Alternatively, admins can check for expired certificates with the following command in the Exchange Management Shell:

Get-ExchangeCertificate | Select-Object Subject, NotAfter

Exchange Management Shell certificate command
Figure C: The Get-ExchangeCertificate cmdlet displays certificate expiration dates.

Correct untrusted certificates

Another potential cause of an Outlook certificate error is the PC that runs Outlook does not trust the certificate authority. This shouldn't be an issue if the certificate came from a well-known, commercial certificate authority. However, some organizations use an in-house enterprise certificate authority.

Windows servers configured to act as an enterprise certificate authority usually include a built-in web server to issue certificate requests. This same web server also contains an option to download a Certificate Authority (CA) certificate (Figure D).

Download a CA certificate.
Figure D: Windows-based enterprise certificate authorities give the option to download a CA certificate.

Admins can import this CA certificate into the client computer's Trusted Root Certification Authorities store (Figure E). This allows the computer to trust the certificate authority that issued the certificate.

Trusted Root Certification Authority
Figure E: Import the CA certificate into the computer's Trusted Root Certification Authorities store.

It takes quite a bit of work to correct an Outlook certificate error. In most cases, the error occurs because the certificate's subject or subject alternate name is incorrect. In these cases, replacing the certificate should fix the problem.

Next Steps

Exchange hybrid deployment considerations

Protect email servers on Exchange and Office 365

How to resolve inbound mail flow issues

Dig Deeper on Exchange Server setup and troubleshooting