Join Log in
Score:0
Alain avatar Server

Exchange 2019 ssl certificate invalid

ve flag
Alain

I have installed Exchange 2019 for testing purposes. I have purchased a domain name and a certificate. After I installed it, the status shows: invalid. Thank you. enter image description here

Here is the result of certutil -verify

Issuer:
    CN=ZeroSSL RSA Domain Secure Site CA
    O=ZeroSSL
    C=AT
  Name Hash(sha1): 082e3ff9058cfe8a7c18bd13efdf1d1660707a6b
  Name Hash(md5): ab1639dd9160fab0f92496ffe91dc2aa
Subject:
    CN=mail.belxchange.com
  Name Hash(sha1): e5b331beff7e2e09aeef22bae49b7edad6ef3ec7
  Name Hash(md5): 00ff0b4da8f724bc70646e3b026e45d1
Cert Serial Number: e28ee3f7a40f789620b258aae02b60dd

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Hours, 19 Minutes, 5 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Hours, 19 Minutes, 5 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT
  NotBefore: 6/28/2021 8:00 PM
  NotAfter: 9/27/2021 7:59 PM
  Subject: CN=mail.belxchange.com
  Serial: e28ee3f7a40f789620b258aae02b60dd
  SubjectAltName: DNS Name=mail.belxchange.com
  Cert: beffb40c51aa7de210779220bf6b98be69d67911
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL (null):
    Issuer: CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT
    ThisUpdate: 6/29/2021 4:50 PM
    NextUpdate: 7/6/2021 4:50 PM
    CRL: 2e9f37d78d9ae1a9e435760e1d9b006b55dafe3c
  Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.78
  Issuance[1] = 2.23.140.1.2.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
  NotBefore: 1/29/2020 8:00 PM
  NotAfter: 1/29/2030 7:59 PM
  Subject: CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT
  Serial: 6c55abdbd00792c79d070cd8119ed6bf
  Cert: c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL (null):
    Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
    ThisUpdate: 6/30/2021 4:28 AM
    NextUpdate: 7/7/2021 4:28 AM
    CRL: 33d94bdc17a67be0286bea0e96cfe3b6ad7c3284
  Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.78
  Issuance[1] = 2.23.140.1.2.1
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
  NotBefore: 1/31/2010 8:00 PM
  NotAfter: 1/18/2038 7:59 PM
  Subject: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
  Serial: 01fd6d30fca3ca51a81bbc640e35032d
  Cert: 2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[2] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
  Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[4] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination
  Application[5] = 1.3.6.1.5.5.7.3.7 IP security user
  Application[6] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[7] = 1.3.6.1.5.5.7.3.8 Time Stamping
  EV[0] = 1.3.6.1.4.1.6449.1.2.1.5.1
  EV[1] = 2.23.140.1.3

Exclude leaf cert:
  Chain: a126b04b452a7f46b037e93b530914e84dd20f84
Full chain:
  Chain: 480ccb6aae924c7427e4e32e37bf45e8261459bf
------------------------------------
Verified Issuance Policies:
    1.3.6.1.4.1.6449.1.2.2.78
    2.23.140.1.2.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
PS C:\Users\Administrator>
145
1 + 4
ssl
cn flag
Crypt32
can you run `certutil -verify server.crt` against your TLS certificate you received from ZeroSSL and post command result?
0
Reply
Alain avatar
ve flag
Alain
@Crypt32 done. I've put it in the main post.
0
Reply
us flag
TheCleaner
Was it installed with the private key? Looks like the intermediate/roots are there from your verify.
0
Reply
Alain avatar
ve flag
Alain
@TheCleaner Yes, the private key was there
0
Reply
Score:0
Ivan_Wang avatar Server
us flag
Ivan_Wang

I found a similar thread, please check if Andy and Joyce's answers are helpful to you: Certificate invalid in Exchange 2019

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.