• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 874
  • Last Modified:

Exchange server Certificate problems

I'm getting the error :

Microsoft Exchange couldn't find a certificate that contains the domain name roa.pt-usa.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of roa.pt-usa.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

in Exchange, which in essence shuts down our Outlook Web Mail. I have to go and manually restart the IIS Admin service to get it working agian, but it stops working again a random time later (less than a day).

I know next to nothing about the proper set up of certificates on a server. I do have domain admin access to the server, and can get into the Certificates (local computer) and Certificate Authority (local) on the Exchange server. Any suggetions on how to fix this??

It's an exchange 2007 server running server 2003 SP 2. I'm a bit lost and over my head here, but very willing to take listen to suggestions and I can follow instructions very well. :) I just know very little about certificates.

Any suggestions or help will be greatly appreciated.
0
Dingus
Asked:
Dingus
  • 8
  • 5
  • 5
1 Solution
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Your Cert is set to expire today....which is the problem.   You need to reissue that cert.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
In addition......Instructions now to renew it... https://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html 
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
DingusAuthor Commented:
The certificate generated is a .csr file, but the certificate will not import as a .csr, only a .cer or .crt. How do I generate the correct type of certificate, or import the .csr file??
0
 
Khurram Ullah KhanCommented:
have you checked my above articles it has all the required details
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
You have a self-signed cert there is no need to generate a csr.    

Basically open Exchange Shell Console...
Run:  get-exchangecertificate | fl

record your thumbprint for the expired cert

Then run:   Get-ExchangeCertificate -thumbprint  "expiredcertthumbprint" | New-ExchangeCertificate

then

Enable-ExchangeCertificate -thumbprint  "newcertthumbprint" -services IIS

https://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html


0
 
DingusAuthor Commented:
I think part of the problem is that we have an external domain name that points to the exchange server. That certificate, loc.domain.com, is expired and I cant get Exchange to generate a new one for it. I have a valid certificate for Exchange itself. I was able to generate a new one within the certificate manager itself.

I can't figure out how to create one for the loc.domain.com external pointer. We had one that was valid until last week. When I try to renew it or create a new one within the certificate manager, it tells me "You do not have permission to request a certificate based on the selected certificate template."

I'm still gettting tons of erros in the event viewer from MSExchangeTransport stating:

Microsoft Exchange couldn't find a certificate that contains the domain name roa.domain.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of roa.pt-usa.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key

They seem to occur in the event viewer every 5-15 minutes.
0
 
Khurram Ullah KhanCommented:
which exchange role you are getting this error, CAS, HUB Edge? your certificate is not properly configured. you need to generate a correct CSR and then follow the steps i have mentioned on my above links.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Your certificate on your CAS server is expired that is enabled for IIS (last Thursday):  roa.pt-usa.net.
 

Image2.gif
0
 
DingusAuthor Commented:
EndureKona, that's the one I'm having trouble renewing properly. All the Exchange certificates are current. Will the steps outlined by Khurramullah work for that cert?
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
No - khurramullah steps would work if you were going to get your cert from another location like a public cert provider like Versign.      No CSR is needed.    You can resolve this all in the Exchange Shell Console on your CAS server:

The thumbprint for your expired cert appears to be:  ¿bc fe f4 e6 14 26 7e 20 42 0e 2e 73 e4 83 ca 6d 17 ae 43 3c

so the command you want to run in the Exchange Shell Console

Get-ExchangeCertificate -thumbprint ¿bc fe f4e614267e20420e2e73e483ca6d17ae433c | New-ExchangeCertificate

This you should have a output of a new thumbprint.... copy this new thumbprint and run

Enable-ExchangeCertificate -thumbprint   "newcertthumbprint"  -services IIS

https://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
ugh looks like it put in a check mark in the thumbprint....here is the thumbprint of the expired cert...when you run the command you don't want any spaces when running the command.



Image1.gif
0
 
DingusAuthor Commented:
When I run that command without the spaces, I get:  Get-ExchangeCertificate : The certificate with thumbprint BCFEF4E614267E20420E2E73E483CA6D17AE433C was found but is not valid for use with Exchange Server (reason: KeyAlgorithmUnsupported).
At line:1 char:24+ Get-ExchangeCertificate  <<<< -thumbprint bcfef4e614267e20420e2e73e483ca6d17a
e433c | New-ExchangeCertificate

If I leave in the upside down question mark, it runs, but outputs nothing, just goes back to the prompt. I've tried it without the question mark and with quotes, but get the same error. From what I read in that link, it appears to be correct syntax, but errors out.

I've tried removing the space and - and reentering them, but it gives the same error. I tried typing the entire thing, with the correct thumbprint, in by hand instead of copying, and got the same error.
0
 
Khurram Ullah KhanCommented:
Self signed certificate will not work with outlook anywhere and OWA users will also get security prompts. please check below details from MS about limitation of self signed certificate;

Limitations of Self signed certificate:
Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.

Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.

Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.

Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.

0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
This is an incorrect statement:  "Self signed certificate will not work with outlook anywhere and OWA "
It is not the best solution but will work.   You just need to install the certs on the devices that are accessing OWA.    
OK try this from the Shell Console:
New-ExchangeCertificate -SubjectName "c=US,o=OWA,cn=roa.pt-usa.net"
 
Then it should show you a new thumbprint....copy this thumbprint...then run
Enable-ExchangeCertificate -thumbprint   "newcertthumbprint"  -services IIS
once complete you can run remove-exchangecertificate -thumbprint <oldthumbprint>
 
 
0
 
Khurram Ullah KhanCommented:
Endurekona, you are reading my statement incorrectly, read till full stop that is "Self signed certificate will not work with outlook anywhere and OWA users will also get security prompts"
if author will install self signed certificate for OWA then the external user will not be trusted and they will get non trusted certificate message because self signed certificate CA is local exchange thats why the CA for OWA certificate should be public such as verisign and thawte for correct OWA user experience.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
This can be resolved with installing the cert on the workstation.   With a selfsigned cert installing on the workstation for outlook anywhere is required.      
I agree a public cert is better but this individual here has been using a selfsigned cert and the problem it is expired.
0
 
DingusAuthor Commented:
Thank you for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 8
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now