We help IT Professionals succeed at work.

Exchange 2007 renewing local ssl certs importing tumbprint

Medium Priority
1,055 Views
Last Modified: 2012-05-06
Hi experts

I'm having a problem with exchange 2007, In essence i installed an exchange 2007 server last year. About a week ago my client started getting ssl cert errors locally, stating that there is a domain name mismatch on the ssl cert for the server. I logged on to find that the cert was out of date a renewed it by creating a local ssl cert from our server.

We dont use owa externally so a ssl cert from a known  provider is really not necessary (I think). Since renewing the ssl cert i have been experiencing loads of exchange errors and mail delays, as well as an error messages stating that the queue viewer cannot connect to the exchange transport service. Other errors include,

Microsoft Exchange couldn't find a certificate with a thumbprint of xxxxxxxx in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate xxxxxxx “Çôservices SMTP to resolve the issue. If the certificate doesn't exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN

and

Microsoft Exchange couldn't find a certificate that contains the domain name mail.xxx.co.uk in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of mail.xxx.co.uk. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

I am guessing that I need to import a thumb print to exchange or something along these lines to rectify the issue but as I am new to exchange 2007 i really don't know where to start.

Any help would be much appreciate

Thanks in advance
Comment
Watch Question

CERTIFIED EXPERT

Commented:
If you issue a new certificate from your internal CA, make sure its has all the SAN names in it.
eks,

mail.yourdomain.com
NETBIOS
FQDN
autodiscover.yourdomain.com

Then import that certifcate with the import-exchangecertificate cmdlet
Then enable it with the Enable-exchangecertificate -thumbprint pastethumbprinthere -services IIS, SMTP, POP

run iisreset /noforce and you should be ok

Now if you have several exchange server you have to install the certificate on those servers to.

Export the certificate to a pfx file to get your private key with it, and remember to set a password IMPORTANT! Password cant be blank.

Remi

Author

Commented:
Hi Remi

Thaks for the help, bit confused as to the ssl cert i have just renewed the old one using iis however the new cert make no indication of any other SAN names but mail.mydomain.local
how do i issue a cert which includes muliiple SAN names?

do you know of a good article on how to create the relevant ssl cert and how to apply it which i can follow, or would it be possible to list stepby step instructions on how to do this.

i know it's sking allot but i dont really want to get this wrong.

once again thaks fo all the help so far
CERTIFIED EXPERT
Commented:

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
thanks will have a look now and get back to you

Author

Commented:
how do i find out what the autodicovery domain is set to?

CERTIFIED EXPERT

Commented:
if your external domain is Mydomain.com the you should put in autodiscover.mydomain.com

When Outlook connect to the Exchange server it will use the autodiscover.yourdomain.com to get the urls for the services needed.

Your outlook client will try hardcoded urls

autodiscover.yourdomain.com
yourdomain.autodiscover.com

and some others

So remember that you you will have to create internal and external DNS records for that.

Remi

Author

Commented:
i keep getting a syntex error when creating the csr in essence this is what im typing in

New-ExchangeCertificate -GenerateRequest - Domainname mail.xxxx.com, ServerName.xxxx.local, autodiscover.xxxx.com, ServerName -FriendlyName mail.demo.com -PrivateKeyExportable: $True -path c:\Cert.req

the error occurs on the 24th character which is the hyphen (-) i have deleted the hyphen and still get  syntex error for generaterequest

am i going wrong some where??

am i suppose to ype in the server name where it say or leave it as is.

sorry for making something so simple complicated.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.