Exchange 2010 self Cert

I'm getting the following error and I'm not sure how to fix it.:

Microsoft Exchange could not find a certificate that contains the domain name MSG.schulershook.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MSG with a FQDN parameter of MSG.domain.loca. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
Darth_mark67Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
If you only have a Self-Signed certificate, you'll want to modify your send and receive connectors so they are using just <servername> and not <servername.domain.local> as the response for EHLO HELO. If you have a cert that matched the domain name you have configured, configure your server so that cert is used for SMTP.
Darth_mark67Author Commented:
I have a digi cert but we deleted the self created cert.
Adam BrownSr Solutions ArchitectCommented:
Okay, so make sure your connectors have the website host name defined in the cert as their FQDN for HELO. You can do this by going to Organization Config\Hub Transport then right click on your Send connector and click Properties. The line there asking for an FQDN should match the FQDN defined on the cert. Do the same at Server Config\Hub Transport for your Receive Connectors.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Darth_mark67Author Commented:
send connector has mail.domain.com
 both receive connectors (client and default) have mail.domain.com

initially the client had the msg.domain which I changed to our exchange cert (mail.domain.com).

but I'm still getting the error message.
Adam BrownSr Solutions ArchitectCommented:
Open the Exchange Management Shell and run get-exchangecertificate | fl

Make sure that the Services section for the Certificate you're using has SMTP in it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Darth_mark67Author Commented:
Here it is, looks ok.


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>Get-Exchangecertificate |fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.schulershook.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter           : 6/27/2012 7:00:00 AM
NotBefore          : 4/19/2011 7:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0F0405297F2B509183D6DA70BB642499
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail.schulershook.com, OU=IT, O=Schuler Shook, L=Chicago, S=Illinois, C=US
Thumbprint         : A46B4DF3B2BE16D63AF8AE9FEAF8F0BD77B825AF



[PS] C:\>
Darth_mark67Author Commented:
Is this correct?


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #84:

When you are creating a new Edge subscription, you need to run the New-EdgeSubscription cmdlet first on your Edge Transp
ort server, and then on an administrator console that is connected to your internal Exchange organization. However, beca
use Exchange 2010 uses remote Windows PowerShell, you can no longer use the Path parameter when importing an Edge subscr
iption file. Instead you need to use the Get-Content cmdlet to first retrieve and encode the data, and then pass it to t
he New-EdgeSubscription cmdlet, like so:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)
) -Site "Default-First-Site"

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                        msstd:<mail.domain.com> 1
EXPR                                                        msstd:<mail.domain.com> 1
WEB                                                         msstd:<mail.domain.com> 1


[PS] C:\>
Darth_mark67Author Commented:
Here is something else

The subject alternative name (SAN) of SSL certificate for https://msg.schulershook.net/Autodiscover/Autodiscover.xml does not appear to match the host address. Host address: msg.schulershook.net. Current SAN: DNS Name=mail.domain.com.
Darth_mark67Author Commented:
I also set this back to default.

         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1


[PS] C:\>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.