Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange SSL certificate is expired and also errors in event viewer

Posted on 2011-09-19
25
472 Views
Last Modified: 2012-05-12
I am not at all familiar with certificates or the management shell. When I go into IIS and view the server certificates there are three. One for our company owa (i think)  mail.flow-rite.com and two that appear to be the same for our echange server as the names are "Microsoft Exchange" and issued to and by our Exchange server EXCH01. When I view them they were both only valid until July 2010. I am also getting the error below in Event Viewer. According to our spam filter Vipre tech support I need to correct this to solve some issues we are having with Spam. I run the comand in the management shell defined in the error below and I get this:  

cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Thumbprint:

I have no idea what to do or if this is even the right path to correcting the issue.

Her is the Event Viewer Error:

Microsoft Exchange couldn't find a certificate that contains the domain name EXCH01.Flow-Rite.lcl in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Flow-Rite.com Outbound with a FQDN parameter of EXCH01.Flow-Rite.lcl. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
0
Comment
Question by:Johne75
  • 12
  • 9
  • 4
25 Comments
 
LVL 25

Expert Comment

by:-MAS
ID: 36560030
Is it a third party certificate or self issued?


Run this command and check what are the certificates you have it installed and what services configured for that.
Get-Exchangecertificate



0
 
LVL 3

Expert Comment

by:dahesi
ID: 36560078
this should help you out..
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html

if you use exchange 2007 without sp2 (or 3.. dont know atm).. you dont have to renew it every year.. in the latest sp version its valuable for 5 or 10 years. correct me if im wrong.
0
 

Author Comment

by:Johne75
ID: 36560112
abbasifft,
the two in question are self issued I believe the mail.flow-rite is godaddy. I see the thumprint numbers when I run the command. I assume this is what I need to enter when I run the command defined in the log error and it prompts me for thumbprint?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 25

Expert Comment

by:-MAS
ID: 36560191
did you try this command?

Enable-ExchangeCertificate -Thumbprint <thumbprint of certificate> -Services SMTP
0
 

Author Comment

by:Johne75
ID: 36560210
When I do that I get this

cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services:



0
 
LVL 3

Expert Comment

by:dahesi
ID: 36560293
Enable-ExchangeCertificate -<your thumprint> -Services "IMAP, POP, UM, IIS, SMTP"
0
 
LVL 3

Expert Comment

by:dahesi
ID: 36560304
ubs... here we go again:
Enable-ExchangeCertificate -Thumbprint <your thumprint> -Services "IMAP, POP, UM, IIS, SMTP"
0
 

Author Comment

by:Johne75
ID: 36560324
abbasift,
I forgot to put the -Services SMTP at the end. When I do that it asks if I want to over write the third party certificate that isnt expired with the one that is expired already??

dahesi,
I have read through your comments as well...

I think we are close but everytime It asks me to overwrite the godaddy certificate with a certificate that is expired in 2010.
0
 

Author Comment

by:Johne75
ID: 36560343
Confirm
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx"' (expires 7/29/2012
9:42:19 AM), with certificate 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (expires 7/1/2010 12:55:36 PM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
0
 
LVL 3

Assisted Solution

by:dahesi
dahesi earned 166 total points
ID: 36560373
dont overwrite it!

you should go this way:

1) look  which certs are installed | done: 3 installed (2 selfsigned / 1 3rd party cert)
2) update or create an additional self signed cert for your exchange services
3) activate (enable) it
thats it.

maybe you have to complete step 2 before you go to step 3 :)
thats why i posted the link above

if the new an valuable cert is running well, you can go and delete your old cert/s.
0
 

Author Comment

by:Johne75
ID: 36561044
When I create new cert it still asks to over write the go daddy cert I click no and it creates one anyway. I enable it then the calls start to flood in with people getting this. What bothers me here is the error is saying its for the mail.flow-rite.com cert. It wasnt supposed to overwrite this.

 certificate
Below is a screen shot of IIS manager. Top is the godaddy nexts is the newly created EXCH01 last two are the expired EXCH01. I have a feeling something happened that shouldnt have. Please advise.



 IIS
0
 

Author Comment

by:Johne75
ID: 36561073
Here is the text from when I created the new cert and typed n for no and it still created it.


Confirm
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"' (expires 7/29/2012
9:42:19 AM), with certificate 'F2C2215D8B25C1D1A514E93023F2ECC04E089FC8' (expires 9/19/2012 11:01:40 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): n

Thumbprint                                Services   Subject
----------                                --------   -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  .....      CN=EXCH01
0
 

Author Comment

by:Johne75
ID: 36561099
now of course I get the   There is a problem with this website's security certificate when trying to browse to this site.
0
 
LVL 25

Accepted Solution

by:
-MAS earned 334 total points
ID: 36561162
I think you removed the active cert. Which has IIS service configured.

Please try to put it back and try to reissue a self signed certificate from EMC and enable only smtp in that and rest everything you enable in Godaddy
0
 

Author Comment

by:Johne75
ID: 36561176
OK help me out how do I do that? This is all new to me. And thanks in advance for your patience!
0
 
LVL 25

Expert Comment

by:-MAS
ID: 36561181
all these you can do from EMC, no need of EMS that will make you more confuse
0
 
LVL 25

Expert Comment

by:-MAS
ID: 36561214
how you created cert, From EMC or EMS?
0
 

Author Comment

by:Johne75
ID: 36561226
I didnt create any of the certs initially, just the one we discussed today. I created the new cert in the exchange Shell per instruction on this thread. But thats is very confusing. Can I do this in the GUI of IIS Management Console?
0
 

Author Comment

by:Johne75
ID: 36562308
I used the Get-Exchange certificate command and the godaddy cert still existed. I ran the enable command on it and all appears to be working fine now.
0
 
LVL 25

Expert Comment

by:-MAS
ID: 36562352
I am sorry for the delay as I got an urgent call

Did you enable SMTP on Godaddy certificate?

If SMTP is also enabled and working fine, it is done. No need to think further
0
 

Author Comment

by:Johne75
ID: 36562387
I just used

Enable-ExchangeCertificate -Thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxxxxx" -se rvices IIS

Does this enable smtp?
0
 
LVL 25

Expert Comment

by:-MAS
ID: 36562850
yes
0
 
LVL 25

Expert Comment

by:-MAS
ID: 36564710
Send me a screenshot of output of this command
get-exchangecertificate
0
 

Author Comment

by:Johne75
ID: 36566416
Sorry for the delay, here you go

[PS] C:\Windows\system32>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  ...WS      CN=mail.flow-rite.com, OU=Domain Control Validated, O...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
0
 
LVL 25

Assisted Solution

by:-MAS
-MAS earned 334 total points
ID: 36566787
Enable POP and IMAP in your third party cert. from EMC
It will look like this.

Thumbprint                                Services   Subject
----------                                --------   -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP.WS      CN=mail.flow-rite.com, OU=Domain Control Validated, O...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01


or if the current setting does not make issue you can continue
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question