Improve company productivity with a Business Account.Sign Up

x
?
Solved

Exchange 2010 self Cert

Posted on 2012-03-19
9
Medium Priority
?
647 Views
Last Modified: 2012-08-13
I'm getting the following error and I'm not sure how to fix it.:

Microsoft Exchange could not find a certificate that contains the domain name MSG.schulershook.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MSG with a FQDN parameter of MSG.domain.loca. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
0
Comment
Question by:Darth_mark67
  • 6
  • 3
9 Comments
 
LVL 44

Expert Comment

by:Adam Brown
ID: 37738719
If you only have a Self-Signed certificate, you'll want to modify your send and receive connectors so they are using just <servername> and not <servername.domain.local> as the response for EHLO HELO. If you have a cert that matched the domain name you have configured, configure your server so that cert is used for SMTP.
0
 

Author Comment

by:Darth_mark67
ID: 37739081
I have a digi cert but we deleted the self created cert.
0
 
LVL 44

Expert Comment

by:Adam Brown
ID: 37739113
Okay, so make sure your connectors have the website host name defined in the cert as their FQDN for HELO. You can do this by going to Organization Config\Hub Transport then right click on your Send connector and click Properties. The line there asking for an FQDN should match the FQDN defined on the cert. Do the same at Server Config\Hub Transport for your Receive Connectors.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:Darth_mark67
ID: 37739268
send connector has mail.domain.com
 both receive connectors (client and default) have mail.domain.com

initially the client had the msg.domain which I changed to our exchange cert (mail.domain.com).

but I'm still getting the error message.
0
 
LVL 44

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 37739296
Open the Exchange Management Shell and run get-exchangecertificate | fl

Make sure that the Services section for the Certificate you're using has SMTP in it.
0
 

Author Comment

by:Darth_mark67
ID: 37739322
Here it is, looks ok.


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>Get-Exchangecertificate |fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.schulershook.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter           : 6/27/2012 7:00:00 AM
NotBefore          : 4/19/2011 7:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0F0405297F2B509183D6DA70BB642499
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail.schulershook.com, OU=IT, O=Schuler Shook, L=Chicago, S=Illinois, C=US
Thumbprint         : A46B4DF3B2BE16D63AF8AE9FEAF8F0BD77B825AF



[PS] C:\>
0
 

Author Comment

by:Darth_mark67
ID: 37740597
Is this correct?


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #84:

When you are creating a new Edge subscription, you need to run the New-EdgeSubscription cmdlet first on your Edge Transp
ort server, and then on an administrator console that is connected to your internal Exchange organization. However, beca
use Exchange 2010 uses remote Windows PowerShell, you can no longer use the Path parameter when importing an Edge subscr
iption file. Instead you need to use the Get-Content cmdlet to first retrieve and encode the data, and then pass it to t
he New-EdgeSubscription cmdlet, like so:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)
) -Site "Default-First-Site"

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                        msstd:<mail.domain.com> 1
EXPR                                                        msstd:<mail.domain.com> 1
WEB                                                         msstd:<mail.domain.com> 1


[PS] C:\>
0
 

Author Comment

by:Darth_mark67
ID: 37740638
Here is something else

The subject alternative name (SAN) of SSL certificate for https://msg.schulershook.net/Autodiscover/Autodiscover.xml does not appear to match the host address. Host address: msg.schulershook.net. Current SAN: DNS Name=mail.domain.com.
0
 

Author Comment

by:Darth_mark67
ID: 37740648
I also set this back to default.

         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1


[PS] C:\>
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A method of moving multiple mailboxes (in bulk) to another database in an Exchange 2010/2013/2016 environment...
Importing Outlook PST contacts to Exchange Server can become a complicated task. Situations arise where an Exchange user is not able to import contacts from PST to Exchange Mailboxes in an efficient manner. Try SysTools Exchange Import to move conta…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question