Last month, when we installed the Exchange Server 2016 in our company and migrated from the previous Exchange Server 2010, some of our users started complaining that they were getting an error related to the SSL Certificate in Outlook.
The error message was saying:
“The Security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.”
It is a security alert message which checks the configuration of your Outlook profile with the Exchange Server and presents the message to you.
Reasons behind the certificate warning
After the installation of Exchange Server 2016 at the organization’s Active Directory environment, The Server setup creates a Service Connection Point (SCP) for the Autodiscover feature. The role of Autodiscover in Exchange Server is to search for the available settings and services for the client systems at the Exchange Server. So, when you create a new Outlook profile with an Exchange account, you do not need to set up the settings manually, but Autodiscover will search and establish the connection.
The Autodiscover service connection point gets registered with the help of a URL having the fully qualified domain name of the Exchange Server. You can check the URL with the help of the following command run in the Exchange Management Shell.
Get-ClientAccessService -Identity <ServerName> | Select AutodiscoverServiceInternalUri
The connection for the Autodiscover feature from the client system gets establish through an HTTPS (SSL) connection. The same HTTPS connection is used to connect with various Exchange Services like Outlook on the Web (OWA), Activesync, Outlook Anywhere, Exchange Web Services, etc.
The HTTPS connection is dependent on the SSL certificate, and there are three criteria for the SSL certificate which it should fulfill:
- The certificate is issued by a trusted Certified Authority (CA).
- The certificate is not expired.
- The name on the certificate should match with the server name to which the client’s system wants to connect.
How to fix the ‘certificate security warning’ issue
There are two ways to fix the warning message issue:
- Change the Autodiscover URL.
- Install an SSL Certificate from an authorized vendor.
Change the Autodiscover URL
To change the Autodiscover URL, you should use a DNA name or alias of the Server name. It is advisable not to use the actual name of the Exchange Server’s full domain name.
If the DNS record of the namespace is not present in the Exchange, you need to add the A record at the internal DNS Zone.
Install an SSL Certificate from an authorized vendor.
When the namespace is working correctly, you need to install the SSL Certificate at the Exchange Server 2016. Here is the brief procedure of installing the SSL certificate at the Exchange Admin Center:
- Login to Exchange Admin Center and go to Servers>>Certificates.
- There is a ‘Select Server’ list where you need to select the specific Exchange Server to install the certificate. Choose ‘More Options •••’ and click the Import Exchange Certificate.
- At the Import Exchange certificate wizard, there is a ‘This wizard will import a certificate from a file’ page, and you need to fulfill the following data:
- File to import from: Enter the complete UNC path for the SSL file name.
- Password: If the certificate is protected by a password, then input the password also.
- At the ‘Specify the servers you want to apply this certificate to’ page, click the Add (+) icon.
- Select the Exchange Server and click Add button. You can select as many Exchange Server as you require.
Finally, click the Finish button.
SSL Certificate helps Autodiscover in a much better way to search for the Exchange Server settings and policies for the user’s mailbox. But sometimes, the data for the Exchange gets inaccessible due to corruption in the database (EDB) file. The corruption can make the whole data of the mailbox unavailable. So, you need to find the reason for the error and rectify the problem using any method. If any manual method does not work, then use Kernel for Exchange Server software. It’s recovery software that primarily works for the Exchange database file. Exchange Recovery software can recover the data without needing the transaction log file, and you can save the mailbox data to PST file, live Exchange, or Office 365 as per the requirement. And you can use this tool with all Exchange Server versions and Office 365 plans.