?
Solved

Exchange 2010 self Cert

Posted on 2012-03-19
9
Medium Priority
?
633 Views
Last Modified: 2012-08-13
I'm getting the following error and I'm not sure how to fix it.:

Microsoft Exchange could not find a certificate that contains the domain name MSG.schulershook.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MSG with a FQDN parameter of MSG.domain.loca. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
0
Comment
Question by:Darth_mark67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 42

Expert Comment

by:Adam Brown
ID: 37738719
If you only have a Self-Signed certificate, you'll want to modify your send and receive connectors so they are using just <servername> and not <servername.domain.local> as the response for EHLO HELO. If you have a cert that matched the domain name you have configured, configure your server so that cert is used for SMTP.
0
 

Author Comment

by:Darth_mark67
ID: 37739081
I have a digi cert but we deleted the self created cert.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 37739113
Okay, so make sure your connectors have the website host name defined in the cert as their FQDN for HELO. You can do this by going to Organization Config\Hub Transport then right click on your Send connector and click Properties. The line there asking for an FQDN should match the FQDN defined on the cert. Do the same at Server Config\Hub Transport for your Receive Connectors.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Darth_mark67
ID: 37739268
send connector has mail.domain.com
 both receive connectors (client and default) have mail.domain.com

initially the client had the msg.domain which I changed to our exchange cert (mail.domain.com).

but I'm still getting the error message.
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 37739296
Open the Exchange Management Shell and run get-exchangecertificate | fl

Make sure that the Services section for the Certificate you're using has SMTP in it.
0
 

Author Comment

by:Darth_mark67
ID: 37739322
Here it is, looks ok.


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>Get-Exchangecertificate |fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.schulershook.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
NotAfter           : 6/27/2012 7:00:00 AM
NotBefore          : 4/19/2011 7:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0F0405297F2B509183D6DA70BB642499
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail.schulershook.com, OU=IT, O=Schuler Shook, L=Chicago, S=Illinois, C=US
Thumbprint         : A46B4DF3B2BE16D63AF8AE9FEAF8F0BD77B825AF



[PS] C:\>
0
 

Author Comment

by:Darth_mark67
ID: 37740597
Is this correct?


         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #84:

When you are creating a new Edge subscription, you need to run the New-EdgeSubscription cmdlet first on your Edge Transp
ort server, and then on an administrator console that is connected to your internal Exchange organization. However, beca
use Exchange 2010 uses remote Windows PowerShell, you can no longer use the Path parameter when importing an Edge subscr
iption file. Instead you need to use the Get-Content cmdlet to first retrieve and encode the data, and then pass it to t
he New-EdgeSubscription cmdlet, like so:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)
) -Site "Default-First-Site"

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                        msstd:<mail.domain.com> 1
EXPR                                                        msstd:<mail.domain.com> 1
WEB                                                         msstd:<mail.domain.com> 1


[PS] C:\>
0
 

Author Comment

by:Darth_mark67
ID: 37740638
Here is something else

The subject alternative name (SAN) of SSL certificate for https://msg.schulershook.net/Autodiscover/Autodiscover.xml does not appear to match the host address. Host address: msg.schulershook.net. Current SAN: DNS Name=mail.domain.com.
0
 

Author Comment

by:Darth_mark67
ID: 37740648
I also set this back to default.

         Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #77:

Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are p
eople who manage your organization or perform special tasks, like mailbox searches for compliance reasons.
If you want to manage permissions for end users, use management role assignment policies.

VERBOSE: Connecting to MSG.schulershook.net
VERBOSE: Connected to MSG.schulershook.net.
[PS] C:\Windows\system32>cd..
[PS] C:\Windows>cd..
[PS] C:\>get-outlookprovider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1


[PS] C:\>
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question