[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

STMP Certificate Broke

Posted on 2013-06-21
12
Medium Priority
?
592 Views
Last Modified: 2013-07-11
Im getting the alert in my event viewer:

Microsoft Exchange could not load the certificate with thumbprint of %1 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate %1 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, an ephemeral, self-signed certificate with thumbprint %2 is being used.



The cert does not show up when u run the get-exchangecertificate command.

How do I go about fixing this issue? AND can i fix this without interrupting service?
0
Comment
Question by:Allanore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 27

Expert Comment

by:Steve
ID: 39267858
depends what you mean by fixing it really....

Either:

a) re-enable the missing SSL cert that should be in place and has gone faulty

or

b) remove an SSL that shouldnt be in use and isnt meanrt to be there in the first place
0
 
LVL 80

Expert Comment

by:arnold
ID: 39267951
The issue is likely that the certificate you generated is not for mail exchange.
Look at the certificate and see whether it has the mail exchange functions.

The error message includes directives that you should attempt.

Use certificates MMC for a service account, computer account. It should be in one of those
How did you generate/create the certificate? It might be in your user store. Export with private key. And then import it into the service/computer store.
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39268574
Does the get-exchangecertificate command return any certificates? %1 isn't a valid thumb print so your unlikely to find it listed there. Secure SMTP would normally use a 3rd party certificate and not a self signed one. All valid certificates installed on the server will be listed as well as any applied services such as http or smtp.

If you have no desire to send secure mail then you can assign a self signed certificate to smtp of if no certificates are listed as above, either generate a new self signed certificate or re install a 3rd party one purchased from whoever.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:Allanore
ID: 39271451
It looks like a new certificate was created and the SMTP service is assigned to it. Would i need to apply the IMAP and POP services to this SSL in order for the alert to go away?

It looks like exchange is trying to find a cert that was removed and a new one was put in its place with only the SMTP service assigned to it.
0
 
LVL 80

Expert Comment

by:arnold
ID: 39271710
Does the new certificate include mail exchanger functionality or is it merely a web certificate type (authenticate server identity, etc.)
The issue deals with when the CSR was generated did it include the attribute to indicate that the purpose included a mail exchange
If the attribute is missing, exchange rejects the certificate because it is incomplete.
0
 

Author Comment

by:Allanore
ID: 39272182
The intended purposes field shows Server Authentication, Client Authentication.

Also,  the certificate purposes option is set to "enable all purposes for this certificate"
0
 
LVL 80

Expert Comment

by:arnold
ID: 39272202
Check the certificate attributes.  I think there is a specific attribute that identifies exchange/mail exchanger type of service.

Do not have time right now to look at a certificate to provide an example, if you have an email provider that you use and has secure access (465) look at their certifiate for purposes of comparison.
I've seen the item is listed as mail exchanger, others there was a numerical 2.3.4.53.2.2.1 type of indicator for the attribute.

You need to know which attribute and how it is designated your particular system is looking for.
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39273062
Is the certificate listed as Self signed? If so then what services are assigned to it? Usually the self signed certificate will be enabled for all services but sometimes this doesn't happen. You can either use the GUI to assign services or use EMS, http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx

Either way you will need to know the thumbprint of the certificate and that can be returned by using the get-exchangecertificate command. Ensure it says its valid as well.
0
 

Author Comment

by:Allanore
ID: 39278605
The certificate with thumbprint ECDFAF745DFF39A1FE51C5922AEB77FA1B07CFB4 is no longer in the personal store. However, exchange thinks that it needs to look for that certificate.  Then it results to using another another cert that has SMTP enabled.

http://technet.microsoft.com/en-us/library/ff980665(v=exchg.141).aspx

In this article is says I need to run the New-ExchangeCertificate cmdlet to create a new certificate on the computer that returned this Error event.

We only have 1 exchange server and already have a cert set up for mail. If i run this specified command will it break anything?
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39279054
As per my question above, are you using sf signed, pki or 3rd party certificate? If self signed then that command can generate a new self signed certificate, you still need to assign services. If not self signed that command will generate a CSR or certificate request that can be processed on an enterprise CA or by a 3rd party.
0
 

Author Comment

by:Allanore
ID: 39280153
Looks like the cert is a CA cert. The server is an enterprise CA, if i go to certsrv.msc i can locate the Certificate Templates node which according to this article only exists on Enterprise CA. http://social.technet.microsoft.com/Forums/windowsserver/en-US/83e759aa-b93f-4c9b-a7d2-955daf751c9a/is-ca-a-standalone-or-enterprise-ca
0
 
LVL 14

Accepted Solution

by:
Radweld earned 2000 total points
ID: 39280772
I would have a read of this blog which documents the Certificates and Exchange 2010 and goes into detail with plenty of examples on how to generate a CSR, Process this CSR on an Enterprise CA, Complete the CSR and assign services.

http://exchangeserverpro.com/exchange-2010-ssl-certificates/

At this stage it's probably easier to replace the broken certificate with a new one and as long as it comes from the Enterprise CA there is a good chance your clients won't start generating errors when they log onto Exchange.

This wont make secure SMTP work though as to securely send mail you need a 3rd party or a certificate trusted by a public root CA. It's unlikely your trying to send mail securely anyway so I think you don't need to worry.

If you are exchanging securely with a partner using an internally generated CA then you would have performed a certificate exchange with the partner so they are able to validate and trust the certificate you use.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question