Last month when we installed the Exchange Server 2016 in our company and migrated from the previous Exchange Server 2010, then some of our users started complaining that they are getting an error related to the SSL Certificate in the Outlook.
The error was:
“The Security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.”
It is a security alert message which checks the configuration of your Outlook profile with the Exchange Server and presents the message to you.
The reason behind the certificate warning.
After the installation of Exchange Server 2016 at the organization’s Active Directory environment, The Server setup creates a Service Connection Point (SCP) for the Autodiscover feature. The role of Autodiscover in Exchange Server is to search for the available settings and services for the client systems at the Exchange Server. So, when you create a new Outlook profile with an Exchange account, then you do not need to manually set up the settings, but the Autodiscover will search and establish the connection for you.
The Autodiscover service connection point gets register with the help of a URL having the fully qualified domain name of the Exchange Server. You can check the URL with the help of following command run in the Exchange Management Shell.
Get-ClientAccessService -Identity <ServerName> | Select AutodiscoverServiceInternalUri
The connection for the Autodiscover feature from the client system gets establish through an HTTPS (SSL) connection. The same HTTPS connection used to connect with various Exchange Services like Outlook on the Web (OWA), Activesync, Outlook Anywhere, Exchange Web Services, etc.
The HTTPS connection is dependent on the SSL certificate, and there are three criteria for the SSL certificate which it should fulfill:
- The certificate is issued by a trusted Certified Authority (CA).
- The certificate is not expired.
- The name at the certificate should match with the server name which the client’s system wants to connect.
How to remove the certificate security warning
There are two ways to fix the warning message:
- Change the Autodiscover URL.
- Install an SSL Certificate from an authorized vendor.
Change the Autodiscover URL
To change the Autodiscover URL, you should use a DNA name or alias of the Server name. It is advisable to not use the actual name of the Exchange Server’s full domain name.
If the DNS record of the namespace is not present in the Exchange, then you need to add the A record at the internal DNS Zone.
Install an SSL Certificate from an authorized vendor.
When the namespace is working correctly, then you need to install the SSL Certificate at the Exchange Server 2016. Here is the brief procedure of installing the SSL certificate at the Exchange Admin Center:
- Login to Exchange Admin Center and go to Servers>>Certificates.
- There is a ‘Select Server’ list where you need to select the specific Exchange Server to install the certificate. Choose ‘More Options •••’ and click the Import Exchange Certificate.
- At the Import Exchange certificate wizard, there is a ‘This wizard will import a certificate from a file’ page and you need to fulfill the following data:
File to import from: Enter the complete UNC path for the SSL file name.
Password: If the certificate is protected by a password, then input the password also.
- At the ‘Specify the servers you want to apply this certificate to’ page, click the Add (+) icon.
- Select the Exchange Server and click Add button. You can select as many as Exchange Server as you require.
Finally, click the Finish button.
SSL Certificate helps the Autodiscover in a much better way to search for the Exchange Server settings and policies for the user’s mailbox. But sometimes, the data for the Exchange gets inaccessible due to corruption in the database (EDB) file. The corruption can make the whole data of the mailbox unavailable. So, you need to check thoroughly for the reason of the error and rectify the problem using any method. If any manual method does not work, then use Kernel for Exchange Server software. Its a recovery software which primarily works for the Exchange database file. Exchange Recovery software can recover the data without needing the transaction log file, and you can save the mailbox data again in the Live Exchange account.