asked on

Exchange 2007 renewing local ssl certs importing tumbprint

Hi experts

I'm having a problem with exchange 2007, In essence i installed an exchange 2007 server last year. About a week ago my client started getting ssl cert errors locally, stating that there is a domain name mismatch on the ssl cert for the server. I logged on to find that the cert was out of date a renewed it by creating a local ssl cert from our server.

We dont use owa externally so a ssl cert from a known provider is really not necessary (I think). Since renewing the ssl cert i have been experiencing loads of exchange errors and mail delays, as well as an error messages stating that the queue viewer cannot connect to the exchange transport service. Other errors include,

Microsoft Exchange couldn't find a certificate with a thumbprint of xxxxxxxx in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate xxxxxxx “Çôservices SMTP to resolve the issue. If the certificate doesn't exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN

and

Microsoft Exchange couldn't find a certificate that contains the domain name mail.xxx.co.uk in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of mail.xxx.co.uk. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

I am guessing that I need to import a thumb print to exchange or something along these lines to rectify the issue but as I am new to exchange 2007 i really don't know where to start.

Any help would be much appreciate

Thanks in advance

Pret0rian

If you issue a new certificate from your internal CA, make sure its has all the SAN names in it.
eks,

mail.yourdomain.com
NETBIOS
FQDN
autodiscover.yourdomain.com

Then import that certifcate with the import-exchangecertificate cmdlet
Then enable it with the Enable-exchangecertificate -thumbprint pastethumbprinthere -services IIS, SMTP, POP

run iisreset /noforce and you should be ok

Now if you have several exchange server you have to install the certificate on those servers to.

Export the certificate to a pfx file to get your private key with it, and remember to set a password IMPORTANT! Password cant be blank.

Remi

markbenham

ASKER

Hi Remi

Thaks for the help, bit confused as to the ssl cert i have just renewed the old one using iis however the new cert make no indication of any other SAN names but mail.mydomain.local
how do i issue a cert which includes muliiple SAN names?

do you know of a good article on how to create the relevant ssl cert and how to apply it which i can follow, or would it be possible to list stepby step instructions on how to do this.

i know it's sking allot but i dont really want to get this wrong.

once again thaks fo all the help so far

ASKER CERTIFIED SOLUTION

Pret0rian

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

markbenham

ASKER

thanks will have a look now and get back to you

markbenham

ASKER

how do i find out what the autodicovery domain is set to?

Pret0rian

if your external domain is Mydomain.com the you should put in autodiscover.mydomain.com

When Outlook connect to the Exchange server it will use the autodiscover.yourdomain.com to get the urls for the services needed.

Your outlook client will try hardcoded urls

autodiscover.yourdomain.com
yourdomain.autodiscover.com

and some others

So remember that you you will have to create internal and external DNS records for that.

Remi

markbenham

ASKER

i keep getting a syntex error when creating the csr in essence this is what im typing in

New-ExchangeCertificate -GenerateRequest - Domainname mail.xxxx.com, ServerName.xxxx.local, autodiscover.xxxx.com, ServerName -FriendlyName mail.demo.com -PrivateKeyExportable: $True -path c:\Cert.req

the error occurs on the 24th character which is the hyphen (-) i have deleted the hyphen and still get syntex error for generaterequest

am i going wrong some where??

am i suppose to ype in the server name where it say or leave it as is.

sorry for making something so simple complicated.