can't get new or renew certs from exchange only after root ca cert expired

From: Jeff Allen (jeff.allen_at_pikatech.com)
Date: 01/12/05 

Date: 12 Jan 2005 07:07:43 -0800

Recently one of my clients email encryption expired and when we tried
to renew her certificate we get the standard error "The message from
the Microsoft Exchange Key Management Server could not be processed.
Contact your administrator for a new security token, and set up
advanced security again." I have tried to enroll other accounts and
they all get the same message if they are new or current users. We did
have this problem in the past and it was related to the CA having an
expired cert. I checked this and the cert is fine and I even renewed
it to be safe.
 
I get the error below in the app log of the Exchange/KMS server with
and event ID: 5005 with a source of MSExchangeKMS when trying to
enable Advanced Security. (this is a brand new test account I have
created)
 
Mailbox "o=xxxxxx, ou=xxxxxx, cn=recipients, cn=testuser" has failed
being enabled or recovered.
 
And I get the error below on the CA event ID: 21 source of CertSvc.
 
Certificate Services could not process request 1148 due to an error: A
certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider. 0x800b0112
(-2146762478). The request was for CN=testuser, CN=recipients,
OU=xxxxxx, O=xxxxxx.
 
I was able to renew another CA from the main CA that the KMS talks to
and I can renew certs for websites on our internal network... just the
exchange that is giving us problems...
 
 
Any help you could provide would be greatly appreciated.
 

microsoft.public.security.crypto

 

microsoft.public.exchange2000.admin

 

microsoft.public.exchange2000.general

Relevant Pages

  • Re: Outlook 2007 Certificate Error
    ... I did not get the UC/SAN cert since I didn't know what that meant, ... I know you can probably get away with a standard cert, such as what was used in Exchange 2003, and a few folks may respond that it works. ... Exchange 2007 UC/SAN Certificate ... If you name the internal domain the same as your Internet public domain name, in some time domain internal client will get the domain external IP. ...
    (microsoft.public.windows.server.sbs)
  • Re: Confusion RE: Transport Security Layer
    ... If you choose not to use Cert ... there are plenty of public certificate authorities out there. ... > server that requires TSL. ... >>>does this apply to Exchange 2K3. ...
    (microsoft.public.exchange.admin)
  • Re: Outlook 2007 Certificate Error
    ... I guess one of the problems is that the cert is for mail. ... Exchange 2007 needs a UC/SAN cert. ... Exchange 2007 UC/SAN Certificate ... If you name the internal domain the same as your Internet public domain ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 Port Forward Question
    ... What is a good source to understand the differences between SSL and UC/SAN certs and what I should be looking to buy vs. my $27 GoDaddy cert. ... How to Add a GoDaddy SSL Certificate in SBS ... Exchange 2007 does not work with such a certificate. ... internalname ...
    (microsoft.public.windows.server.sbs)
  • Re: Pocket PC 2003 - Can access OMA etc, but cannot sync with ActiveSync
    ... I think I originally imported the wrong cert from the workstation. ... of problem on SBS2k and Win2k where Exchange is in the default site and the ... I tried to install the certificate yesterday ...
    (microsoft.public.windows.server.sbs)