The certificate is invalid for Exchange Server usage

Here is some notes from a recent issue error that I encountered at a client with SSL certificates for an Exchange 2010 server.

This error may be seen on Exchange Server 2010. It may occur even though the certificate is a public certificate, from a trusted provider e.g. GlobalSign, Verisign or anyone else. Although it is most often seen when using certificates from a private PKI infrastructure. This blog post will focus on the usage of a public certificate, in this case from GlobalSign.

The error: The certificate is invalid for exchange server usage

It is shown in the Exchange Management Console (EMC) as:

image

The reason for the error is because the certificate cannot be verified to a trusted Certificate Authority.

The certificate chain is broken, because of a missing or wrong Intermediate or Root CA in the Certificate store of the Exchange 2010 server.

Make sure you have the correct Intermediate and Root CA from the provider (validate with your provider, that you have the correct ones) and make sure they are imported into the Certificate store. They should be imported into the correct destination of the Certificate Store of the Computer (Exchange Server), such as Trusted Root Certification Authorities (holds the Root CA) and Intermediate Certification Authorities (holds the Intermediate CA), as shown below:

image

When you have imported or validated the correct versions, the next time you start the Exchange Management Console, the certificate will now be listed as valid, as shown below:

image