Exchange 2007 renewing local ssl certs importing tumbprint

Posted on 2009-02-13
Last Modified: 2012-05-06
Hi experts

I'm having a problem with exchange 2007, In essence i installed an exchange 2007 server last year. About a week ago my client started getting ssl cert errors locally, stating that there is a domain name mismatch on the ssl cert for the server. I logged on to find that the cert was out of date a renewed it by creating a local ssl cert from our server.

We dont use owa externally so a ssl cert from a known  provider is really not necessary (I think). Since renewing the ssl cert i have been experiencing loads of exchange errors and mail delays, as well as an error messages stating that the queue viewer cannot connect to the exchange transport service. Other errors include,

Microsoft Exchange couldn't find a certificate with a thumbprint of xxxxxxxx in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate xxxxxxx “Çôservices SMTP to resolve the issue. If the certificate doesn't exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN


Microsoft Exchange couldn't find a certificate that contains the domain name in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

I am guessing that I need to import a thumb print to exchange or something along these lines to rectify the issue but as I am new to exchange 2007 i really don't know where to start.

Any help would be much appreciate

Thanks in advance
Question by:markbenham
    LVL 6

    Expert Comment

    If you issue a new certificate from your internal CA, make sure its has all the SAN names in it.

    Then import that certifcate with the import-exchangecertificate cmdlet
    Then enable it with the Enable-exchangecertificate -thumbprint pastethumbprinthere -services IIS, SMTP, POP

    run iisreset /noforce and you should be ok

    Now if you have several exchange server you have to install the certificate on those servers to.

    Export the certificate to a pfx file to get your private key with it, and remember to set a password IMPORTANT! Password cant be blank.


    Author Comment

    Hi Remi

    Thaks for the help, bit confused as to the ssl cert i have just renewed the old one using iis however the new cert make no indication of any other SAN names but mail.mydomain.local
    how do i issue a cert which includes muliiple SAN names?

    do you know of a good article on how to create the relevant ssl cert and how to apply it which i can follow, or would it be possible to list stepby step instructions on how to do this.

    i know it's sking allot but i dont really want to get this wrong.

    once again thaks fo all the help so far
    LVL 6

    Accepted Solution


    Author Comment

    thanks will have a look now and get back to you

    Author Comment

    how do i find out what the autodicovery domain is set to?

    LVL 6

    Expert Comment

    if your external domain is the you should put in

    When Outlook connect to the Exchange server it will use the to get the urls for the services needed.

    Your outlook client will try hardcoded urls

    and some others

    So remember that you you will have to create internal and external DNS records for that.


    Author Comment

    i keep getting a syntex error when creating the csr in essence this is what im typing in

    New-ExchangeCertificate -GenerateRequest - Domainname, ServerName.xxxx.local,, ServerName -FriendlyName -PrivateKeyExportable: $True -path c:\Cert.req

    the error occurs on the 24th character which is the hyphen (-) i have deleted the hyphen and still get  syntex error for generaterequest

    am i going wrong some where??

    am i suppose to ype in the server name where it say or leave it as is.

    sorry for making something so simple complicated.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now