Solved

STMP Certificate Broke

Posted on 2013-06-21
12
546 Views
Last Modified: 2013-07-11
Im getting the alert in my event viewer:

Microsoft Exchange could not load the certificate with thumbprint of %1 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate %1 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, an ephemeral, self-signed certificate with thumbprint %2 is being used.



The cert does not show up when u run the get-exchangecertificate command.

How do I go about fixing this issue? AND can i fix this without interrupting service?
0
Comment
Question by:Allanore
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 27

Expert Comment

by:Steve
ID: 39267858
depends what you mean by fixing it really....

Either:

a) re-enable the missing SSL cert that should be in place and has gone faulty

or

b) remove an SSL that shouldnt be in use and isnt meanrt to be there in the first place
0
 
LVL 76

Expert Comment

by:arnold
ID: 39267951
The issue is likely that the certificate you generated is not for mail exchange.
Look at the certificate and see whether it has the mail exchange functions.

The error message includes directives that you should attempt.

Use certificates MMC for a service account, computer account. It should be in one of those
How did you generate/create the certificate? It might be in your user store. Export with private key. And then import it into the service/computer store.
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39268574
Does the get-exchangecertificate command return any certificates? %1 isn't a valid thumb print so your unlikely to find it listed there. Secure SMTP would normally use a 3rd party certificate and not a self signed one. All valid certificates installed on the server will be listed as well as any applied services such as http or smtp.

If you have no desire to send secure mail then you can assign a self signed certificate to smtp of if no certificates are listed as above, either generate a new self signed certificate or re install a 3rd party one purchased from whoever.
0
 

Author Comment

by:Allanore
ID: 39271451
It looks like a new certificate was created and the SMTP service is assigned to it. Would i need to apply the IMAP and POP services to this SSL in order for the alert to go away?

It looks like exchange is trying to find a cert that was removed and a new one was put in its place with only the SMTP service assigned to it.
0
 
LVL 76

Expert Comment

by:arnold
ID: 39271710
Does the new certificate include mail exchanger functionality or is it merely a web certificate type (authenticate server identity, etc.)
The issue deals with when the CSR was generated did it include the attribute to indicate that the purpose included a mail exchange
If the attribute is missing, exchange rejects the certificate because it is incomplete.
0
 

Author Comment

by:Allanore
ID: 39272182
The intended purposes field shows Server Authentication, Client Authentication.

Also,  the certificate purposes option is set to "enable all purposes for this certificate"
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Expert Comment

by:arnold
ID: 39272202
Check the certificate attributes.  I think there is a specific attribute that identifies exchange/mail exchanger type of service.

Do not have time right now to look at a certificate to provide an example, if you have an email provider that you use and has secure access (465) look at their certifiate for purposes of comparison.
I've seen the item is listed as mail exchanger, others there was a numerical 2.3.4.53.2.2.1 type of indicator for the attribute.

You need to know which attribute and how it is designated your particular system is looking for.
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39273062
Is the certificate listed as Self signed? If so then what services are assigned to it? Usually the self signed certificate will be enabled for all services but sometimes this doesn't happen. You can either use the GUI to assign services or use EMS, http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx

Either way you will need to know the thumbprint of the certificate and that can be returned by using the get-exchangecertificate command. Ensure it says its valid as well.
0
 

Author Comment

by:Allanore
ID: 39278605
The certificate with thumbprint ECDFAF745DFF39A1FE51C5922AEB77FA1B07CFB4 is no longer in the personal store. However, exchange thinks that it needs to look for that certificate.  Then it results to using another another cert that has SMTP enabled.

http://technet.microsoft.com/en-us/library/ff980665(v=exchg.141).aspx

In this article is says I need to run the New-ExchangeCertificate cmdlet to create a new certificate on the computer that returned this Error event.

We only have 1 exchange server and already have a cert set up for mail. If i run this specified command will it break anything?
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39279054
As per my question above, are you using sf signed, pki or 3rd party certificate? If self signed then that command can generate a new self signed certificate, you still need to assign services. If not self signed that command will generate a CSR or certificate request that can be processed on an enterprise CA or by a 3rd party.
0
 

Author Comment

by:Allanore
ID: 39280153
Looks like the cert is a CA cert. The server is an enterprise CA, if i go to certsrv.msc i can locate the Certificate Templates node which according to this article only exists on Enterprise CA. http://social.technet.microsoft.com/Forums/windowsserver/en-US/83e759aa-b93f-4c9b-a7d2-955daf751c9a/is-ca-a-standalone-or-enterprise-ca
0
 
LVL 14

Accepted Solution

by:
Radweld earned 500 total points
ID: 39280772
I would have a read of this blog which documents the Certificates and Exchange 2010 and goes into detail with plenty of examples on how to generate a CSR, Process this CSR on an Enterprise CA, Complete the CSR and assign services.

http://exchangeserverpro.com/exchange-2010-ssl-certificates/

At this stage it's probably easier to replace the broken certificate with a new one and as long as it comes from the Enterprise CA there is a good chance your clients won't start generating errors when they log onto Exchange.

This wont make secure SMTP work though as to securely send mail you need a 3rd party or a certificate trusted by a public root CA. It's unlikely your trying to send mail securely anyway so I think you don't need to worry.

If you are exchanging securely with a partner using an internally generated CA then you would have performed a certificate exchange with the partner so they are able to validate and trust the certificate you use.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now