bill-long
commented
4 months ago Looks like we can take the Thumbprint from Get-ExchangeCertificate and the load the certificate from the store:
$c = Get-ChildItem -Path cert:\LocalMachine\My\48D58B180F99D1FC047654D6B8F2958A736DF465Note this assumes it's in the My store and not some other place. I guess we would need to check all of them? Anyway once we have the cert we can build the cert chain:
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($c.RawData)At this point, $chain.ChainElements has 3 certs - leaf, intermediate, and root. But I'm not sure how this looks on a machine that doesn't have all the certs locally. We probably need to see what this object looks like when the machine is in that state.
Is your request related to a problem? Please describe. UntrustedRoot is an error surfaced in Message Tracking Logs/Message Trace when the root certificate is not trusted or less commonly known a missing intermediate certificate during TLS negotiation.
Take the following scenario: Exchange Online tenant is containing an outbound connector configured to enforce certificate validation. Mail is sent from Exchange Online to On-Premises. During TLS negotiation On-Premises only presents the leaf certificate and does not include any intermediate certs. This can be verified in a network packet capture.
Exchange Online will defer the message and surface the error "UntrustedRoot".
Describe The Request Disabling downloading of certificates may be one cause to this issue. Can this be detected and surfaced in health checker? Can we detect if exchange is using a certificate that does not have the full chain installed in certificate store?
Additional context Add any other context or screenshots about the feature request here.