markbenham
asked on
Exchange 2007 renewing local ssl certs importing tumbprint
Hi experts
I'm having a problem with exchange 2007, In essence i installed an exchange 2007 server last year. About a week ago my client started getting ssl cert errors locally, stating that there is a domain name mismatch on the ssl cert for the server. I logged on to find that the cert was out of date a renewed it by creating a local ssl cert from our server.
We dont use owa externally so a ssl cert from a known provider is really not necessary (I think). Since renewing the ssl cert i have been experiencing loads of exchange errors and mail delays, as well as an error messages stating that the queue viewer cannot connect to the exchange transport service. Other errors include,
Microsoft Exchange couldn't find a certificate with a thumbprint of xxxxxxxx in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate xxxxxxx “Çôservices SMTP to resolve the issue. If the certificate doesn't exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN
and
Microsoft Exchange couldn't find a certificate that contains the domain name mail.xxx.co.uk in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of mail.xxx.co.uk. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.
I am guessing that I need to import a thumb print to exchange or something along these lines to rectify the issue but as I am new to exchange 2007 i really don't know where to start.
Any help would be much appreciate
Thanks in advance
I'm having a problem with exchange 2007, In essence i installed an exchange 2007 server last year. About a week ago my client started getting ssl cert errors locally, stating that there is a domain name mismatch on the ssl cert for the server. I logged on to find that the cert was out of date a renewed it by creating a local ssl cert from our server.
We dont use owa externally so a ssl cert from a known provider is really not necessary (I think). Since renewing the ssl cert i have been experiencing loads of exchange errors and mail delays, as well as an error messages stating that the queue viewer cannot connect to the exchange transport service. Other errors include,
Microsoft Exchange couldn't find a certificate with a thumbprint of xxxxxxxx in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate
and
Microsoft Exchange couldn't find a certificate that contains the domain name mail.xxx.co.uk in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of mail.xxx.co.uk. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.
I am guessing that I need to import a thumb print to exchange or something along these lines to rectify the issue but as I am new to exchange 2007 i really don't know where to start.
Any help would be much appreciate
Thanks in advance
ASKER
Hi Remi
Thaks for the help, bit confused as to the ssl cert i have just renewed the old one using iis however the new cert make no indication of any other SAN names but mail.mydomain.local
how do i issue a cert which includes muliiple SAN names?
do you know of a good article on how to create the relevant ssl cert and how to apply it which i can follow, or would it be possible to list stepby step instructions on how to do this.
i know it's sking allot but i dont really want to get this wrong.
once again thaks fo all the help so far
Thaks for the help, bit confused as to the ssl cert i have just renewed the old one using iis however the new cert make no indication of any other SAN names but mail.mydomain.local
how do i issue a cert which includes muliiple SAN names?
do you know of a good article on how to create the relevant ssl cert and how to apply it which i can follow, or would it be possible to list stepby step instructions on how to do this.
i know it's sking allot but i dont really want to get this wrong.
once again thaks fo all the help so far
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks will have a look now and get back to you
ASKER
how do i find out what the autodicovery domain is set to?
if your external domain is Mydomain.com the you should put in autodiscover.mydomain.com
When Outlook connect to the Exchange server it will use the autodiscover.yourdomain.co m to get the urls for the services needed.
Your outlook client will try hardcoded urls
autodiscover.yourdomain.co m
yourdomain.autodiscover.co m
and some others
So remember that you you will have to create internal and external DNS records for that.
Remi
When Outlook connect to the Exchange server it will use the autodiscover.yourdomain.co
Your outlook client will try hardcoded urls
autodiscover.yourdomain.co
yourdomain.autodiscover.co
and some others
So remember that you you will have to create internal and external DNS records for that.
Remi
ASKER
i keep getting a syntex error when creating the csr in essence this is what im typing in
New-ExchangeCertificate -GenerateRequest - Domainname mail.xxxx.com, ServerName.xxxx.local, autodiscover.xxxx.com, ServerName -FriendlyName mail.demo.com -PrivateKeyExportable: $True -path c:\Cert.req
the error occurs on the 24th character which is the hyphen (-) i have deleted the hyphen and still get syntex error for generaterequest
am i going wrong some where??
am i suppose to ype in the server name where it say or leave it as is.
sorry for making something so simple complicated.
New-ExchangeCertificate -GenerateRequest - Domainname mail.xxxx.com, ServerName.xxxx.local, autodiscover.xxxx.com, ServerName -FriendlyName mail.demo.com -PrivateKeyExportable: $True -path c:\Cert.req
the error occurs on the 24th character which is the hyphen (-) i have deleted the hyphen and still get syntex error for generaterequest
am i going wrong some where??
am i suppose to ype in the server name where it say or leave it as is.
sorry for making something so simple complicated.
eks,
mail.yourdomain.com
NETBIOS
FQDN
autodiscover.yourdomain.co
Then import that certifcate with the import-exchangecertificate
Then enable it with the Enable-exchangecertificate
run iisreset /noforce and you should be ok
Now if you have several exchange server you have to install the certificate on those servers to.
Export the certificate to a pfx file to get your private key with it, and remember to set a password IMPORTANT! Password cant be blank.
Remi