Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-13

The following errors may be returned in the Operator Console if you are using Microsoft Operations Manager 2005 or in the Operations Console if you are using System Center Operations Manager 2007 when a certificate cannot validate. The errors may also be returned as Application log events. This topic explains how to resolve these errors or refers to documentation that may help you resolve certificate validation errors.

For more information about how the Microsoft Exchange Transport service selects certificates for Transport Layer Security (TLS), see SMTP TLS Certificate Selection.

Certificate Validation Errors or Status Messages

  • The certificate is valid but it is selfsigned.   This error is an informational status message. By default, the certificate that installed with Microsoft Exchange Server 2007 is self-signed. It is generally a best practice to use certificates from trusted third-party certification authorities (CA).

    For more information, see How to Enable PKI on the Edge Transport Server for Domain Security.

  • Certificate subject does not match the passed value.   This status message indicates that the domain name in either the subject name or subject alternative name fields of the certificate does not match the fully qualified domain name (FQDN) of the sender or receiver domain name. To correct this error, a new certificate that matches the FQDN of the Send connector or Receive connector that tried to validate this certificate must be created.

    For more information, see Creating a Certificate or Certificate Request for TLS

  • The signature of the certificate cannot be verified.   This status message indicates that the Microsoft Exchange Transport service was unable to validate the certificate chain, or that the public key that was used to validate the certificate signature is not the correct key.

    For more information, see Domain Security in Exchange 2007 White Paper.

  • A certificate chain processed, but ended in a root certificate which is not trusted by the trust provider.   This status message indicates that the certificate that was used for this operation is not trusted by the computer certificate store. To trust this certificate, the root certification authority for the given certificate must be present in the certificate store for this computer.

    For more information about how to manually add certificates to the local certificate store, see the Help file for the Certificate Manager snap-in in Microsoft Management Console (MMC).

  • The certificate is not valid for the requested usage.   This status message indicates that you must enable the certificate for use in the current application. For example, if you are trying to use this certificate for Domain Security, the certificate must be enabled for Simple Mail Transfer Protocol (SMTP).

    For more information about how to enable certificates, see Enable-ExchangeCertificate.

    Alternatively, this status message may indicate that the certificate that you are using does not have the correct data in the Enhanced Key Usage field. All certificates that are used for Transport Layer Security (TLS) must contain a Server Authentication object identifier (also known as OID). If you are trying to use a certificate for TLS that does not contain a Server Authentication OID in the Enhanced Key Usage Field, you must create a new certificate.

    For more information, see Creating a Certificate or Certificate Request for TLS.

  • A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.   This status message indicates that the system time is incorrect, the certificate has expired, or the time of the system that signed the file is incorrect. Verify that the following conditions are true:

    • The local computer clock is accurate.

    • The certificate has not expired.

    • The sending system clock is accurate.

    If the certificate has expired, you must generate a new certificate.

    For more information, see Creating a Certificate or Certificate Request for TLS.

  • The validity periods of the certification chain do not nest correctly.   This status message indicates that the certificate chain is corrupted or otherwise unreliable. Generate a new certificate by using New-ExchangeCertificate cmdlet, or contact your certification authority to validate the certificate chain that was used for this certificate.

  • A certificate that can only be used as an end entity is being used as a CA or visa versa.   This status message indicates that the certificate is invalid because it was issued by an end-entity certificate and not a certification authority. An end-entity certificate is a certificate that has been created for specific application cryptographic usage. Generate a new certificate by using the New-ExchangeCertificate cmdlet, or contact your certification authority to validate the certificate.

  • The certificate or signature has been revoked.   Contact your certification authority to resolve this issue.

  • A certificate was explicitly revoked by its issuer.   Contact your certification authority to resolve this issue.

  • The revocation function was unable to check revocation because the revocation server was offline.   This status message indicates that the revocation server for the certificate could not be reached. In some cases, this is a temporary error because the revocation server is malfunctioning. Otherwise, make sure that this computer can access the revocation server. If there is a firewall or proxy server in between this computer and the revocation server, make sure that your computer is configured to traverse the obstacle.

    For more information, see How to Enable PKI on the Edge Transport Server for Domain Security.

  • The revocation process could not continue. The certificates could not be checked.   This status message indicates that the revocation process was interrupted by a general network failure. If there is a firewall or proxy server in between this computer and the revocation server, make sure that your computer is configured to traverse the obstacle.

    For more information, see How to Enable PKI on the Edge Transport Server for Domain Security.