StartTLS Certificate has: "has an nonvalid digital signature"

Posted on 2010-08-16
Last Modified: 2013-11-30
Subject System
This problem regards a small private domain hosted by 2 WS'03r2x64StdEd DC's with SP2 and current updates.  One DC is hosting Exchange 2007 Standard Edition SP3.  The Hub Transport is Internet Facing thru a gateway-router/NAT/aDSL-modem to an ISP (AT&T) for Internet and personal-mailbox services as afforded by AT&T and the hosting platform is multi-homed; 2 NIC's.  The domain build aspects are sound.  Exchange receives ISP mail via a mapiLab POP3 Connector (MPC); it works fine.

I'm trying to send all Internet destined email to the said AT&T service as a Smarthost.  In pursuing this, I have configured a SMTP/SendConnector and created a Self-Signed Certificate to negotiate Start TLS as is initiated by our ISP (AT&T) when the ISP receives the SMTP mail we send.  Currently, the sent msgs never reach their destination and i suspect that they hang in the submit queue (i could test this).  I was hoping that a Self-Signed Certificate would be suffice for these SSL/TLS negotiations.  In contrast, i've considered buying a 3rd party Certificate for this purpose or trying one of those as are enumerated within the Local-Store; i.e. CA>3rd Party Root Certification Authorities>Certificates.  -I'm trying to refrain from buying a certificate that i don't absolutely need.

Current Resolve
One problem is that the Self-Signed Certificate i created, imported, and enabled (for SMTP) is invalid; i.e. "This certificate has an nonvalid digital signature." (I'm currently working on this.)  In summary, i'm wondering which of the following efforts would work for my objective:

repairing or rebuilding my invalid self-signed Certificate,
using one of my CA>3rd Party Root Certification Authorities>Certificates certficates,
procuring a Certificate specifically for this AT&T service.

Here's the command line i used to create the Certificate Request that has the invalid signature; note the Parameter Set:

New-ExchangeCertificate -DomainName,, PrivDomName.local -FriendlyName “AT&T Start TLS” -GenerateRequest:$True -Keysize 1024 -PrivateKeyExportable:$true -SubjectName "DC=sbcGlobal, DC=net, O=ATTacccountOwnerName, C=US,,, CN=host.PrivDomName.local, CN=PrivDomName.local" -path "E:\Certificates\Requests\AT&T StartTLS.req.txt"

Here's the most significant part of the corresponding 12014 Application Event Description:

Microsoft Exchange could not find a certificate that contains the domain name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet via AT&T with a FQDN parameter of

So, how/where do i need specify in my parameter set; e.g. CN=<>?  But where?

Any help on this would be greatly appreciated!!!

Any help/advise on any of this would be much appreciated.

Question by:GlennXS
  • 3
  • 2

Expert Comment

Comment Utility
ok for starters a complex question like this and you are only offering 250 points, seems a bit tight...

But I will answer as it breaks down to be pretty easy. Firstly you can't uses smtps using ssl/tls unless you certificate is trusted by the recieving mail server in this case AT&T. Secondly why are you using smtps to go to at&t why not just use smtp and get rid of ssl/tls as AT&T are more than likely going to forward it on to the final recieving mail server using standard un-encrypted smtp. Are you even sure at&t supports ssl/tls on their smtp server?

Some simple tests; open up a command prompt on your hub transport server and type the below
telnet 465
; if that connects then their mailserver is listening on smtps and you will need a certificate from an online Certifying Authority like verisign, thawte, entrust, godaddy, etc.
if it doesn't work try the below
telnet 25
; if that works, good just use plain old smtp in your smart host.

Author Comment

Comment Utility
I'm new to EE and their point system. Don't really have feel for what the impact of "points" is on my end; i'll get into it though.

It's a simple virtue that drove me in this pursuit: For the 4 or 5 several years, i've been using Outlook Express to access my personal mail from AT&T while configured for port 465,, & SSL enabled.  I never bought any certificates for this and it just works; it's working now!   Respectively, I just thought i could use my native Windows Domain resources; e.g. Exchange, my Root CA, for any needed accommodations once i acquired the knowledge to do such.  At least, spawn a SSL Cert from one of those within CA>3rd Party Root Certification Authorities>Certificates of the Local Store.

When i posted this issue, i also thought i could use New-ExchangeCertificate to build the SSL Cert; without any 3rd party purchase. The Ms documentation is ambiguous about this distinction; i.e. can or can't (to me).
I'm now mostly convinced that New-ExchangeCertificate is only for generating the requests that i would solicit to those 3rd party SSL Cert folks.  Digesting what u wrote reaffirms this to me.  I did the TelNet test for SSL(465) and know that TLS is initiated. I didn't try to do a port 25 test; good idea, -I'll give it a whirl.

Could u clarify the purpose of those certs within CA>3rd Party Root Certification Authorities>Certificates repository (of the Local Store)?  i.e. Would any of these suffice for my SSL/TLS needs or is my only solution from the 3rd Party Public vendor?
Much thanks for gracious advise!

Author Comment

Comment Utility
I reached in pocket and found some more points ...

Could u advise on the 12014 issue; as noted in my post.  Specifically, dialog from the Help & Support link; as is within the Description of this 12014 Event, clearly states that the FQDN as specified within subject Connector must appear as a member of CertificateDomains; when u view the output of Get-ExchangeCertificate |FL.  (-I'm experiencing this issue.)   That Ms dialog also goes on to say (in so many words) that this can be corrected by using New-ExchangeCertificate and specifying the correct parameter set.  I must have tried 20 variations and have not been able to get to appear as a CertificateDomains member.  What am i doing wrong?

Accepted Solution

changlinn earned 300 total points
Comment Utility
ok so the Average simple question on here goes for 500 points, just an FYI, you may not get as many knowledgeable people with 300.

I will try though I have never setup smtps in exchange 2007, I did once a long time ago at a previous job on 2003.
From what you have said, it looks like AT&T do support smtps on, which is fair enough. Not a huge boon for you but I'll continue. SMTPS is only really secure if it relays all the way to the users mail server with SMTP-TLS (I tend to just say smtps), which is highly unlikely at this stage. Most corporates still use SMTP by default.

From the scenario you described with outlook on your machine, it is slightly different, outlook works in that regard like your web-browser does when it views an SSL site, it has access to the root certificates and can see that the certificate from is signed by one of them. Outlook doesn't actually present a certificate to auth itself at this stage it just like ssl (another TLS) verifies the server it is connecting to is valid.

There is a good guide to so smtp-tls here with 2003 and 2007 though;

Author Closing Comment

Comment Utility
It was a workaround to my objective

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now