Dingus
asked on
Exchange server Certificate problems
I'm getting the error :
Microsoft Exchange couldn't find a certificate that contains the domain name roa.pt-usa.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of roa.pt-usa.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
in Exchange, which in essence shuts down our Outlook Web Mail. I have to go and manually restart the IIS Admin service to get it working agian, but it stops working again a random time later (less than a day).
I know next to nothing about the proper set up of certificates on a server. I do have domain admin access to the server, and can get into the Certificates (local computer) and Certificate Authority (local) on the Exchange server. Any suggetions on how to fix this??
It's an exchange 2007 server running server 2003 SP 2. I'm a bit lost and over my head here, but very willing to take listen to suggestions and I can follow instructions very well. :) I just know very little about certificates.
Any suggestions or help will be greatly appreciated.
Microsoft Exchange couldn't find a certificate that contains the domain name roa.pt-usa.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of roa.pt-usa.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
in Exchange, which in essence shuts down our Outlook Web Mail. I have to go and manually restart the IIS Admin service to get it working agian, but it stops working again a random time later (less than a day).
I know next to nothing about the proper set up of certificates on a server. I do have domain admin access to the server, and can get into the Certificates (local computer) and Certificate Authority (local) on the Exchange server. Any suggetions on how to fix this??
It's an exchange 2007 server running server 2003 SP 2. I'm a bit lost and over my head here, but very willing to take listen to suggestions and I can follow instructions very well. :) I just know very little about certificates.
Any suggestions or help will be greatly appreciated.
Rick Fee
Your Cert is set to expire today....which is the problem. You need to reissue that cert.
In addition......Instructions
In addition you can also follow below step by step article;
http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/
http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/
http://khurramullah.wordpress.com/2009/07/01/importing-certificates-to-exchange-servers/
http://khurramullah.wordpress.com/2009/07/06/publishing-exchange-2007-owa-via-isa-2006-reverse-proxy/
Also you can check below link
https://www.experts-exchange.com/questions/25798228/Exchange-SSL-certificate-for-OWA.html
http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/
http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/
http://khurramullah.wordpress.com/2009/07/01/importing-certificates-to-exchange-servers/
http://khurramullah.wordpress.com/2009/07/06/publishing-exchange-2007-owa-via-isa-2006-reverse-proxy/
Also you can check below link
https://www.experts-exchange.com/questions/25798228/Exchange-SSL-certificate-for-OWA.html
ASKER
The certificate generated is a .csr file, but the certificate will not import as a .csr, only a .cer or .crt. How do I generate the correct type of certificate, or import the .csr file??
have you checked my above articles it has all the required details
You have a self-signed cert there is no need to generate a csr.
Basically open Exchange Shell Console...
Run: get-exchangecertificate | fl
record your thumbprint for the expired cert
Then run: Get-ExchangeCertificate -thumbprint "expiredcertthumbprint" | New-ExchangeCertificate
then
Enable-ExchangeCertificate
https://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
Basically open Exchange Shell Console...
Run: get-exchangecertificate | fl
record your thumbprint for the expired cert
Then run: Get-ExchangeCertificate -thumbprint "expiredcertthumbprint" | New-ExchangeCertificate
then
Enable-ExchangeCertificate
https://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
ASKER
I think part of the problem is that we have an external domain name that points to the exchange server. That certificate, loc.domain.com, is expired and I cant get Exchange to generate a new one for it. I have a valid certificate for Exchange itself. I was able to generate a new one within the certificate manager itself.
I can't figure out how to create one for the loc.domain.com external pointer. We had one that was valid until last week. When I try to renew it or create a new one within the certificate manager, it tells me "You do not have permission to request a certificate based on the selected certificate template."
I'm still gettting tons of erros in the event viewer from MSExchangeTransport stating:
Microsoft Exchange couldn't find a certificate that contains the domain name roa.domain.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of roa.pt-usa.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
They seem to occur in the event viewer every 5-15 minutes.
I can't figure out how to create one for the loc.domain.com external pointer. We had one that was valid until last week. When I try to renew it or create a new one within the certificate manager, it tells me "You do not have permission to request a certificate based on the selected certificate template."
I'm still gettting tons of erros in the event viewer from MSExchangeTransport stating:
Microsoft Exchange couldn't find a certificate that contains the domain name roa.domain.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of roa.pt-usa.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
They seem to occur in the event viewer every 5-15 minutes.
which exchange role you are getting this error, CAS, HUB Edge? your certificate is not properly configured. you need to generate a correct CSR and then follow the steps i have mentioned on my above links.
Your certificate on your CAS server is expired that is enabled for IIS (last Thursday): roa.pt-usa.net.
Image2.gif
Image2.gif
ASKER
EndureKona, that's the one I'm having trouble renewing properly. All the Exchange certificates are current. Will the steps outlined by Khurramullah work for that cert?
No - khurramullah steps would work if you were going to get your cert from another location like a public cert provider like Versign. No CSR is needed. You can resolve this all in the Exchange Shell Console on your CAS server:
The thumbprint for your expired cert appears to be: ¿bc fe f4 e6 14 26 7e 20 42 0e 2e 73 e4 83 ca 6d 17 ae 43 3c
so the command you want to run in the Exchange Shell Console
Get-ExchangeCertificate -thumbprint ¿bc fe f4e614267e20420e2e73e483ca
This you should have a output of a new thumbprint.... copy this new thumbprint and run
Enable-ExchangeCertificate
https://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
The thumbprint for your expired cert appears to be: ¿bc fe f4 e6 14 26 7e 20 42 0e 2e 73 e4 83 ca 6d 17 ae 43 3c
so the command you want to run in the Exchange Shell Console
Get-ExchangeCertificate -thumbprint ¿bc fe f4e614267e20420e2e73e483ca
This you should have a output of a new thumbprint.... copy this new thumbprint and run
Enable-ExchangeCertificate
https://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
ugh looks like it put in a check mark in the thumbprint....here is the thumbprint of the expired cert...when you run the command you don't want any spaces when running the command.
Image1.gif
Image1.gif
ASKER
When I run that command without the spaces, I get: Get-ExchangeCertificate : The certificate with thumbprint BCFEF4E614267E20420E2E73E4
At line:1 char:24+ Get-ExchangeCertificate <<<< -thumbprint bcfef4e614267e20420e2e73e4
e433c | New-ExchangeCertificate
If I leave in the upside down question mark, it runs, but outputs nothing, just goes back to the prompt. I've tried it without the question mark and with quotes, but get the same error. From what I read in that link, it appears to be correct syntax, but errors out.
I've tried removing the space and - and reentering them, but it gives the same error. I tried typing the entire thing, with the correct thumbprint, in by hand instead of copying, and got the same error.
At line:1 char:24+ Get-ExchangeCertificate <<<< -thumbprint bcfef4e614267e20420e2e73e4
e433c | New-ExchangeCertificate
If I leave in the upside down question mark, it runs, but outputs nothing, just goes back to the prompt. I've tried it without the question mark and with quotes, but get the same error. From what I read in that link, it appears to be correct syntax, but errors out.
I've tried removing the space and - and reentering them, but it gives the same error. I tried typing the entire thing, with the correct thumbprint, in by hand instead of copying, and got the same error.
Self signed certificate will not work with outlook anywhere and OWA users will also get security prompts. please check below details from MS about limitation of self signed certificate;
Limitations of Self signed certificate:
Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
Limitations of Self signed certificate:
Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Endurekona, you are reading my statement incorrectly, read till full stop that is "Self signed certificate will not work with outlook anywhere and OWA users will also get security prompts"
if author will install self signed certificate for OWA then the external user will not be trusted and they will get non trusted certificate message because self signed certificate CA is local exchange thats why the CA for OWA certificate should be public such as verisign and thawte for correct OWA user experience.
if author will install self signed certificate for OWA then the external user will not be trusted and they will get non trusted certificate message because self signed certificate CA is local exchange thats why the CA for OWA certificate should be public such as verisign and thawte for correct OWA user experience.
This can be resolved with installing the cert on the workstation. With a selfsigned cert installing on the workstation for outlook anywhere is required.
I agree a public cert is better but this individual here has been using a selfsigned cert and the problem it is expired.
I agree a public cert is better but this individual here has been using a selfsigned cert and the problem it is expired.
ASKER
Thank you for the help.