StartTLS Certificate has: "has an nonvalid digital signature"

Subject System
This problem regards a small private domain hosted by 2 WS'03r2x64StdEd DC's with SP2 and current updates.  One DC is hosting Exchange 2007 Standard Edition SP3.  The Hub Transport is Internet Facing thru a gateway-router/NAT/aDSL-modem to an ISP (AT&T) for Internet and personal-mailbox services as afforded by AT&T and the hosting platform is multi-homed; 2 NIC's.  The domain build aspects are sound.  Exchange receives ISP mail via a mapiLab POP3 Connector (MPC); it works fine.

I'm trying to send all Internet destined email to the said AT&T service as a Smarthost.  In pursuing this, I have configured a SMTP/SendConnector and created a Self-Signed Certificate to negotiate Start TLS as is initiated by our ISP (AT&T) when the ISP receives the SMTP mail we send.  Currently, the sent msgs never reach their destination and i suspect that they hang in the submit queue (i could test this).  I was hoping that a Self-Signed Certificate would be suffice for these SSL/TLS negotiations.  In contrast, i've considered buying a 3rd party Certificate for this purpose or trying one of those as are enumerated within the Local-Store; i.e. CA>3rd Party Root Certification Authorities>Certificates.  -I'm trying to refrain from buying a certificate that i don't absolutely need.

Current Resolve
One problem is that the Self-Signed Certificate i created, imported, and enabled (for SMTP) is invalid; i.e. "This certificate has an nonvalid digital signature." (I'm currently working on this.)  In summary, i'm wondering which of the following efforts would work for my objective:

repairing or rebuilding my invalid self-signed Certificate,
using one of my CA>3rd Party Root Certification Authorities>Certificates certficates,
procuring a Certificate specifically for this AT&T service.

Here's the command line i used to create the Certificate Request that has the invalid signature; note the Parameter Set:

New-ExchangeCertificate -DomainName,, PrivDomName.local -FriendlyName “AT&T Start TLS” -GenerateRequest:$True -Keysize 1024 -PrivateKeyExportable:$true -SubjectName "DC=sbcGlobal, DC=net, O=ATTacccountOwnerName, C=US,,, CN=host.PrivDomName.local, CN=PrivDomName.local" -path "E:\Certificates\Requests\AT&T StartTLS.req.txt"

Here's the most significant part of the corresponding 12014 Application Event Description:

Microsoft Exchange could not find a certificate that contains the domain name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet via AT&T with a FQDN parameter of

So, how/where do i need specify in my parameter set; e.g. CN=<>?  But where?

Any help on this would be greatly appreciated!!!

Any help/advise on any of this would be much appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ok for starters a complex question like this and you are only offering 250 points, seems a bit tight...

But I will answer as it breaks down to be pretty easy. Firstly you can't uses smtps using ssl/tls unless you certificate is trusted by the recieving mail server in this case AT&T. Secondly why are you using smtps to go to at&t why not just use smtp and get rid of ssl/tls as AT&T are more than likely going to forward it on to the final recieving mail server using standard un-encrypted smtp. Are you even sure at&t supports ssl/tls on their smtp server?

Some simple tests; open up a command prompt on your hub transport server and type the below
telnet 465
; if that connects then their mailserver is listening on smtps and you will need a certificate from an online Certifying Authority like verisign, thawte, entrust, godaddy, etc.
if it doesn't work try the below
telnet 25
; if that works, good just use plain old smtp in your smart host.
GlennXSAuthor Commented:
I'm new to EE and their point system. Don't really have feel for what the impact of "points" is on my end; i'll get into it though.

It's a simple virtue that drove me in this pursuit: For the 4 or 5 several years, i've been using Outlook Express to access my personal mail from AT&T while configured for port 465,, & SSL enabled.  I never bought any certificates for this and it just works; it's working now!   Respectively, I just thought i could use my native Windows Domain resources; e.g. Exchange, my Root CA, for any needed accommodations once i acquired the knowledge to do such.  At least, spawn a SSL Cert from one of those within CA>3rd Party Root Certification Authorities>Certificates of the Local Store.

When i posted this issue, i also thought i could use New-ExchangeCertificate to build the SSL Cert; without any 3rd party purchase. The Ms documentation is ambiguous about this distinction; i.e. can or can't (to me).
I'm now mostly convinced that New-ExchangeCertificate is only for generating the requests that i would solicit to those 3rd party SSL Cert folks.  Digesting what u wrote reaffirms this to me.  I did the TelNet test for SSL(465) and know that TLS is initiated. I didn't try to do a port 25 test; good idea, -I'll give it a whirl.

Could u clarify the purpose of those certs within CA>3rd Party Root Certification Authorities>Certificates repository (of the Local Store)?  i.e. Would any of these suffice for my SSL/TLS needs or is my only solution from the 3rd Party Public vendor?
Much thanks for gracious advise!
GlennXSAuthor Commented:
I reached in pocket and found some more points ...

Could u advise on the 12014 issue; as noted in my post.  Specifically, dialog from the Help & Support link; as is within the Description of this 12014 Event, clearly states that the FQDN as specified within subject Connector must appear as a member of CertificateDomains; when u view the output of Get-ExchangeCertificate |FL.  (-I'm experiencing this issue.)   That Ms dialog also goes on to say (in so many words) that this can be corrected by using New-ExchangeCertificate and specifying the correct parameter set.  I must have tried 20 variations and have not been able to get to appear as a CertificateDomains member.  What am i doing wrong?
ok so the Average simple question on here goes for 500 points, just an FYI, you may not get as many knowledgeable people with 300.

I will try though I have never setup smtps in exchange 2007, I did once a long time ago at a previous job on 2003.
From what you have said, it looks like AT&T do support smtps on, which is fair enough. Not a huge boon for you but I'll continue. SMTPS is only really secure if it relays all the way to the users mail server with SMTP-TLS (I tend to just say smtps), which is highly unlikely at this stage. Most corporates still use SMTP by default.

From the scenario you described with outlook on your machine, it is slightly different, outlook works in that regard like your web-browser does when it views an SSL site, it has access to the root certificates and can see that the certificate from is signed by one of them. Outlook doesn't actually present a certificate to auth itself at this stage it just like ssl (another TLS) verifies the server it is connecting to is valid.

There is a good guide to so smtp-tls here with 2003 and 2007 though;

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GlennXSAuthor Commented:
It was a workaround to my objective
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.