Exchange SSL certificate is expired and also errors in event viewer

I am not at all familiar with certificates or the management shell. When I go into IIS and view the server certificates there are three. One for our company owa (i think)  mail.flow-rite.com and two that appear to be the same for our echange server as the names are "Microsoft Exchange" and issued to and by our Exchange server EXCH01. When I view them they were both only valid until July 2010. I am also getting the error below in Event Viewer. According to our spam filter Vipre tech support I need to correct this to solve some issues we are having with Spam. I run the comand in the management shell defined in the error below and I get this:  

cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Thumbprint:

I have no idea what to do or if this is even the right path to correcting the issue.

Her is the Event Viewer Error:

Microsoft Exchange couldn't find a certificate that contains the domain name EXCH01.Flow-Rite.lcl in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Flow-Rite.com Outbound with a FQDN parameter of EXCH01.Flow-Rite.lcl. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
Johne75Asked:
Who is Participating?
 
MAS (MVE)Connect With a Mentor Technical Department HeadCommented:
I think you removed the active cert. Which has IIS service configured.

Please try to put it back and try to reissue a self signed certificate from EMC and enable only smtp in that and rest everything you enable in Godaddy
0
 
MAS (MVE)Technical Department HeadCommented:
Is it a third party certificate or self issued?


Run this command and check what are the certificates you have it installed and what services configured for that.
Get-Exchangecertificate



0
 
dahesiCommented:
this should help you out..
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html

if you use exchange 2007 without sp2 (or 3.. dont know atm).. you dont have to renew it every year.. in the latest sp version its valuable for 5 or 10 years. correct me if im wrong.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Johne75Author Commented:
abbasifft,
the two in question are self issued I believe the mail.flow-rite is godaddy. I see the thumprint numbers when I run the command. I assume this is what I need to enter when I run the command defined in the log error and it prompts me for thumbprint?
0
 
MAS (MVE)Technical Department HeadCommented:
did you try this command?

Enable-ExchangeCertificate -Thumbprint <thumbprint of certificate> -Services SMTP
0
 
Johne75Author Commented:
When I do that I get this

cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services:



0
 
dahesiCommented:
Enable-ExchangeCertificate -<your thumprint> -Services "IMAP, POP, UM, IIS, SMTP"
0
 
dahesiCommented:
ubs... here we go again:
Enable-ExchangeCertificate -Thumbprint <your thumprint> -Services "IMAP, POP, UM, IIS, SMTP"
0
 
Johne75Author Commented:
abbasift,
I forgot to put the -Services SMTP at the end. When I do that it asks if I want to over write the third party certificate that isnt expired with the one that is expired already??

dahesi,
I have read through your comments as well...

I think we are close but everytime It asks me to overwrite the godaddy certificate with a certificate that is expired in 2010.
0
 
Johne75Author Commented:
Confirm
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx"' (expires 7/29/2012
9:42:19 AM), with certificate 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' (expires 7/1/2010 12:55:36 PM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
0
 
dahesiConnect With a Mentor Commented:
dont overwrite it!

you should go this way:

1) look  which certs are installed | done: 3 installed (2 selfsigned / 1 3rd party cert)
2) update or create an additional self signed cert for your exchange services
3) activate (enable) it
thats it.

maybe you have to complete step 2 before you go to step 3 :)
thats why i posted the link above

if the new an valuable cert is running well, you can go and delete your old cert/s.
0
 
Johne75Author Commented:
When I create new cert it still asks to over write the go daddy cert I click no and it creates one anyway. I enable it then the calls start to flood in with people getting this. What bothers me here is the error is saying its for the mail.flow-rite.com cert. It wasnt supposed to overwrite this.

 certificate
Below is a screen shot of IIS manager. Top is the godaddy nexts is the newly created EXCH01 last two are the expired EXCH01. I have a feeling something happened that shouldnt have. Please advise.



 IIS
0
 
Johne75Author Commented:
Here is the text from when I created the new cert and typed n for no and it still created it.


Confirm
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"' (expires 7/29/2012
9:42:19 AM), with certificate 'F2C2215D8B25C1D1A514E93023F2ECC04E089FC8' (expires 9/19/2012 11:01:40 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): n

Thumbprint                                Services   Subject
----------                                --------   -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  .....      CN=EXCH01
0
 
Johne75Author Commented:
now of course I get the   There is a problem with this website's security certificate when trying to browse to this site.
0
 
Johne75Author Commented:
OK help me out how do I do that? This is all new to me. And thanks in advance for your patience!
0
 
MAS (MVE)Technical Department HeadCommented:
all these you can do from EMC, no need of EMS that will make you more confuse
0
 
MAS (MVE)Technical Department HeadCommented:
how you created cert, From EMC or EMS?
0
 
Johne75Author Commented:
I didnt create any of the certs initially, just the one we discussed today. I created the new cert in the exchange Shell per instruction on this thread. But thats is very confusing. Can I do this in the GUI of IIS Management Console?
0
 
Johne75Author Commented:
I used the Get-Exchange certificate command and the godaddy cert still existed. I ran the enable command on it and all appears to be working fine now.
0
 
MAS (MVE)Technical Department HeadCommented:
I am sorry for the delay as I got an urgent call

Did you enable SMTP on Godaddy certificate?

If SMTP is also enabled and working fine, it is done. No need to think further
0
 
Johne75Author Commented:
I just used

Enable-ExchangeCertificate -Thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxxxxx" -se rvices IIS

Does this enable smtp?
0
 
MAS (MVE)Technical Department HeadCommented:
yes
0
 
MAS (MVE)Technical Department HeadCommented:
Send me a screenshot of output of this command
get-exchangecertificate
0
 
Johne75Author Commented:
Sorry for the delay, here you go

[PS] C:\Windows\system32>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  ...WS      CN=mail.flow-rite.com, OU=Domain Control Validated, O...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
0
 
MAS (MVE)Connect With a Mentor Technical Department HeadCommented:
Enable POP and IMAP in your third party cert. from EMC
It will look like this.

Thumbprint                                Services   Subject
----------                                --------   -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP.WS      CN=mail.flow-rite.com, OU=Domain Control Validated, O...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP..S      CN=EXCH01


or if the current setting does not make issue you can continue
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.