![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 23%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
7,920 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Like Andy mentioned above, if we get the invalid status for the certificate imported to Exchange server, we need to make sure the entire chain accessible.
Please use the command below in EMS to get the detailed information of the invalid certificate, you could share the results here, remember to clear your presonal information
Get-ExchangeCertificate -Thumbprint "XXXXXXX" | Format-List
Especially the RootCAType, I see some issue was caused by Unknown RootCA. Just like this thread discussed: Added new SSL cert - showing as "invalid"
Fix this issue and see how it looks
You need the Root CA certificate for this. Check it on the vendor website and get it. You have to import it to the certificate console by the following method
Launch a new Microsoft Management Console (Start -> Run, mmc.exe) and add the Certificates snap-in to it, connecting to the Computer Account for the Local Computer.
Navigate to Trusted Root Certification Authorities. Right-click on Certificates and choose All Tasks and then Import.
And if you have performed the operation correctly above, the status changed to "revocation check failed". Check if the CRL paths in the cerificate can be reached. The paths can be found by opening the certificate, click on Details, scroll to 'CRL Distribution Paths' Here you find a path
CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://xxx.com/xxx.crl
Then copy the URL en paste it in Internet Explorer. This path must be resolvable.
Refer to this link to get more information: Exchange 2013 - Trusted Certificate - Invalid
In addition, I would recommend you read the article here which introduces about the Exchange certificate include .local extention. It may not lead to the invalid issue, however it's not the suggested way. Even though it may have been possible for them to be issued an SSL certificate with .local names in it today, when that certificate expires it may not be possible to renew it.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 34%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 23%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)