Certificate expiration issue

S

Steve Gould

My Exchange 2003 server just started giving an OAL error. I posted in the
Exchange group, but the issue goes into AD and Certificate Services also so
I figured I would repost here. I have an expired e-mail certificate, I
assume from https access to OWA. What can I do to resolve the issue? I have
been hunting in Certiciate Services for user certs and then in ADSIedit, but
I'm not sure where the expiration info would be. I did find a cert listing
in ADSIedit, though. I could delete it for this user (me), but I'm not sure
of the ramifications of doing so.

I turned up logging and found this error:

Event Type: Warning
Event Source: MSExchangeSA
Event Category: OAL Generator
Event ID: 9323
Date: 11/12/2004
Time: 9:23:48 AM
User: N/A
Computer: SERVER
Description:
Entry 'Steve Gould' has invalid or expired e-mail certificates. These
certificates will not be included in the offline address list for '\Global
Address List'.
- Default Offline Address List

I am not sure what this means. The funny thing is that the user with the
error is ME. Can someone tell me what this means and how to fix it?

Steve Gould
 
R

Ryan Hanisco

Steve,

Are you running your own CA?
What is the expiration date for the root certificate?
Check the expiration dates on the certificate for your server, IIS instance
of OWA, and personal certificate in AU&C for your account.
Is the CA available to the workstations or the CA chain installed on them
(needed for some operations like RPCoHTTP)
 
S

Steve Gould

Good point. We run our own CA. I was actually looking at all the certs on
our cert server today. The cert in question did expire. The root ca was good
for another 12 months so I went ahead and renewed it. I went ahead and
revoked the expired certificate. Not sure what effect that will have, but
the OAL generator still errors out.
 
S

Steve Gould

I finally resolved this myself by accident!!!!

I was on my Exchange server looking at the "default global address list". I
generated a "preview". I scrolled down the preview list to the user account
causing the errors and double clicked on the user. This brought up a user
properties page that looks the same as if I did this from a domain
controller with one exception. The user properties now had an ADDITIONAL tab
titled "Published Certificates". I selected this tab and there was the
expired certificate entry! I had buttons to "remove" the certificate as well
as "add from store", "remove from store", and "copy to file". I chose to
remove the certificate entry, rebuilt the OAL, and the problem is now
resolved.

I don't know why this tab doesn't display in the User properties on the DC
unless it is a Windows 2003 only item that the Windows 2000 DC could not
display.

Hope this helps someone else.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How do you issue a new Root CA Certificate EXPIRATION? 0
Create a dynamic list 3
How can I Search AD for a name? 4
KDC Certificate issue 1
XP Pro Can't get Domain Certificate.... 1
Certificate Server Problems 1
Diff Encryption Certificates used by diff users in same AD domain. 6
Certificate Services 1

Top