A few things that I want to state right off the bat:
- While I am an IT technician, I am not an Exchange administrator and have no access to our Exchange servers.
- When I pose this question to our Exchange administrators I am told that this is a client issue. I have reason to doubt that answer and so am seeking more objective opinions.
- I am not trying to solve an existing technical issue. I am simply trying to collect more information so that I can gain a better understanding of email encryption issues.
Recently, I have seen three cases were a user was having email encryption problems, and in all three cases the issue was caused by an expired default certificate in the address book. In all three cases:
- The user had one valid certificate listed in AD.
- I opened MMC on the client machine and added the Certificates snap-in, and found only one certificate installed on the machine, and it matched the certificate listed in AD.
- I looked up the user in the address book, did a right-click > Add to Contacts > Certificates button on the ribbon, and found that the default certificate listed for the user was expired.
In one case, the default certificate listed in the address book expired in 2012.
Our Exchange administrators tell me that this is a client issue and that email encryption does not involve the Exchange servers--that the servers simply pass messages back and forth. But if that expired certificate is not in AD, and it's not installed on the client machine, then where is it coming from? It has to be coming from somewhere.
When I'm on the client and click the Publish to GAL button, that certificate gets published to an AD server. My understanding is that Exchange then queries AD and updates the OAB with new data, which would include new certificate information. If this is correct, then an Exchange server is involved in the process, and therefore this issue may not be caused by the client.
Am I on to something with my line of reasoning, or is my Exchange administrator correct? If I am on to something, then I would be interested in knowing the details of what happens from the time I click the Publish to GAL button on the client to the time the new certificate information shows up in the address book.
Thanks in advance for any information that you can provide!
--Tom