StartTLS Certificate has: "has an nonvalid digital signature"

Posted on 2010-08-16
Last Modified: 2013-11-30
Subject System
This problem regards a small private domain hosted by 2 WS'03r2x64StdEd DC's with SP2 and current updates.  One DC is hosting Exchange 2007 Standard Edition SP3.  The Hub Transport is Internet Facing thru a gateway-router/NAT/aDSL-modem to an ISP (AT&T) for Internet and personal-mailbox services as afforded by AT&T and the hosting platform is multi-homed; 2 NIC's.  The domain build aspects are sound.  Exchange receives ISP mail via a mapiLab POP3 Connector (MPC); it works fine.

I'm trying to send all Internet destined email to the said AT&T service as a Smarthost.  In pursuing this, I have configured a SMTP/SendConnector and created a Self-Signed Certificate to negotiate Start TLS as is initiated by our ISP (AT&T) when the ISP receives the SMTP mail we send.  Currently, the sent msgs never reach their destination and i suspect that they hang in the submit queue (i could test this).  I was hoping that a Self-Signed Certificate would be suffice for these SSL/TLS negotiations.  In contrast, i've considered buying a 3rd party Certificate for this purpose or trying one of those as are enumerated within the Local-Store; i.e. CA>3rd Party Root Certification Authorities>Certificates.  -I'm trying to refrain from buying a certificate that i don't absolutely need.

Current Resolve
One problem is that the Self-Signed Certificate i created, imported, and enabled (for SMTP) is invalid; i.e. "This certificate has an nonvalid digital signature." (I'm currently working on this.)  In summary, i'm wondering which of the following efforts would work for my objective:

repairing or rebuilding my invalid self-signed Certificate,
using one of my CA>3rd Party Root Certification Authorities>Certificates certficates,
procuring a Certificate specifically for this AT&T service.

Here's the command line i used to create the Certificate Request that has the invalid signature; note the Parameter Set:

New-ExchangeCertificate -DomainName,, PrivDomName.local -FriendlyName “AT&T Start TLS” -GenerateRequest:$True -Keysize 1024 -PrivateKeyExportable:$true -SubjectName "DC=sbcGlobal, DC=net, O=ATTacccountOwnerName, C=US,,, CN=host.PrivDomName.local, CN=PrivDomName.local" -path "E:\Certificates\Requests\AT&T StartTLS.req.txt"

Here's the most significant part of the corresponding 12014 Application Event Description:

Microsoft Exchange could not find a certificate that contains the domain name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet via AT&T with a FQDN parameter of

So, how/where do i need specify in my parameter set; e.g. CN=<>?  But where?

Any help on this would be greatly appreciated!!!

Any help/advise on any of this would be much appreciated.

Question by:GlennXS
  • 3
  • 2

Expert Comment

ID: 33451908
ok for starters a complex question like this and you are only offering 250 points, seems a bit tight...

But I will answer as it breaks down to be pretty easy. Firstly you can't uses smtps using ssl/tls unless you certificate is trusted by the recieving mail server in this case AT&T. Secondly why are you using smtps to go to at&t why not just use smtp and get rid of ssl/tls as AT&T are more than likely going to forward it on to the final recieving mail server using standard un-encrypted smtp. Are you even sure at&t supports ssl/tls on their smtp server?

Some simple tests; open up a command prompt on your hub transport server and type the below
telnet 465
; if that connects then their mailserver is listening on smtps and you will need a certificate from an online Certifying Authority like verisign, thawte, entrust, godaddy, etc.
if it doesn't work try the below
telnet 25
; if that works, good just use plain old smtp in your smart host.

Author Comment

ID: 33452131
I'm new to EE and their point system. Don't really have feel for what the impact of "points" is on my end; i'll get into it though.

It's a simple virtue that drove me in this pursuit: For the 4 or 5 several years, i've been using Outlook Express to access my personal mail from AT&T while configured for port 465,, & SSL enabled.  I never bought any certificates for this and it just works; it's working now!   Respectively, I just thought i could use my native Windows Domain resources; e.g. Exchange, my Root CA, for any needed accommodations once i acquired the knowledge to do such.  At least, spawn a SSL Cert from one of those within CA>3rd Party Root Certification Authorities>Certificates of the Local Store.

When i posted this issue, i also thought i could use New-ExchangeCertificate to build the SSL Cert; without any 3rd party purchase. The Ms documentation is ambiguous about this distinction; i.e. can or can't (to me).
I'm now mostly convinced that New-ExchangeCertificate is only for generating the requests that i would solicit to those 3rd party SSL Cert folks.  Digesting what u wrote reaffirms this to me.  I did the TelNet test for SSL(465) and know that TLS is initiated. I didn't try to do a port 25 test; good idea, -I'll give it a whirl.

Could u clarify the purpose of those certs within CA>3rd Party Root Certification Authorities>Certificates repository (of the Local Store)?  i.e. Would any of these suffice for my SSL/TLS needs or is my only solution from the 3rd Party Public vendor?
Much thanks for gracious advise!

Author Comment

ID: 33452205
I reached in pocket and found some more points ...

Could u advise on the 12014 issue; as noted in my post.  Specifically, dialog from the Help & Support link; as is within the Description of this 12014 Event, clearly states that the FQDN as specified within subject Connector must appear as a member of CertificateDomains; when u view the output of Get-ExchangeCertificate |FL.  (-I'm experiencing this issue.)   That Ms dialog also goes on to say (in so many words) that this can be corrected by using New-ExchangeCertificate and specifying the correct parameter set.  I must have tried 20 variations and have not been able to get to appear as a CertificateDomains member.  What am i doing wrong?

Accepted Solution

changlinn earned 300 total points
ID: 33452458
ok so the Average simple question on here goes for 500 points, just an FYI, you may not get as many knowledgeable people with 300.

I will try though I have never setup smtps in exchange 2007, I did once a long time ago at a previous job on 2003.
From what you have said, it looks like AT&T do support smtps on, which is fair enough. Not a huge boon for you but I'll continue. SMTPS is only really secure if it relays all the way to the users mail server with SMTP-TLS (I tend to just say smtps), which is highly unlikely at this stage. Most corporates still use SMTP by default.

From the scenario you described with outlook on your machine, it is slightly different, outlook works in that regard like your web-browser does when it views an SSL site, it has access to the root certificates and can see that the certificate from is signed by one of them. Outlook doesn't actually present a certificate to auth itself at this stage it just like ssl (another TLS) verifies the server it is connecting to is valid.

There is a good guide to so smtp-tls here with 2003 and 2007 though;

Author Closing Comment

ID: 33641815
It was a workaround to my objective

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question