[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Exchange 2007 renewing local ssl certs importing tumbprint

Posted on 2009-02-13
Medium Priority
Last Modified: 2012-05-06
Hi experts

I'm having a problem with exchange 2007, In essence i installed an exchange 2007 server last year. About a week ago my client started getting ssl cert errors locally, stating that there is a domain name mismatch on the ssl cert for the server. I logged on to find that the cert was out of date a renewed it by creating a local ssl cert from our server.

We dont use owa externally so a ssl cert from a known  provider is really not necessary (I think). Since renewing the ssl cert i have been experiencing loads of exchange errors and mail delays, as well as an error messages stating that the queue viewer cannot connect to the exchange transport service. Other errors include,

Microsoft Exchange couldn't find a certificate with a thumbprint of xxxxxxxx in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate xxxxxxx “Çôservices SMTP to resolve the issue. If the certificate doesn't exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN


Microsoft Exchange couldn't find a certificate that contains the domain name mail.xxx.co.uk in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of mail.xxx.co.uk. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

I am guessing that I need to import a thumb print to exchange or something along these lines to rectify the issue but as I am new to exchange 2007 i really don't know where to start.

Any help would be much appreciate

Thanks in advance
Question by:markbenham
  • 4
  • 3

Expert Comment

ID: 23631943
If you issue a new certificate from your internal CA, make sure its has all the SAN names in it.


Then import that certifcate with the import-exchangecertificate cmdlet
Then enable it with the Enable-exchangecertificate -thumbprint pastethumbprinthere -services IIS, SMTP, POP

run iisreset /noforce and you should be ok

Now if you have several exchange server you have to install the certificate on those servers to.

Export the certificate to a pfx file to get your private key with it, and remember to set a password IMPORTANT! Password cant be blank.


Author Comment

ID: 23632194
Hi Remi

Thaks for the help, bit confused as to the ssl cert i have just renewed the old one using iis however the new cert make no indication of any other SAN names but mail.mydomain.local
how do i issue a cert which includes muliiple SAN names?

do you know of a good article on how to create the relevant ssl cert and how to apply it which i can follow, or would it be possible to list stepby step instructions on how to do this.

i know it's sking allot but i dont really want to get this wrong.

once again thaks fo all the help so far

Accepted Solution

Pret0rian earned 1500 total points
ID: 23632264
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


Author Comment

ID: 23632318
thanks will have a look now and get back to you

Author Comment

ID: 23632575
how do i find out what the autodicovery domain is set to?


Expert Comment

ID: 23632644
if your external domain is Mydomain.com the you should put in autodiscover.mydomain.com

When Outlook connect to the Exchange server it will use the autodiscover.yourdomain.com to get the urls for the services needed.

Your outlook client will try hardcoded urls


and some others

So remember that you you will have to create internal and external DNS records for that.


Author Comment

ID: 23632794
i keep getting a syntex error when creating the csr in essence this is what im typing in

New-ExchangeCertificate -GenerateRequest - Domainname mail.xxxx.com, ServerName.xxxx.local, autodiscover.xxxx.com, ServerName -FriendlyName mail.demo.com -PrivateKeyExportable: $True -path c:\Cert.req

the error occurs on the 24th character which is the hyphen (-) i have deleted the hyphen and still get  syntex error for generaterequest

am i going wrong some where??

am i suppose to ype in the server name where it say or leave it as is.

sorry for making something so simple complicated.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question