Solved

STMP Certificate Broke

Posted on 2013-06-21
12
574 Views
Last Modified: 2013-07-11
Im getting the alert in my event viewer:

Microsoft Exchange could not load the certificate with thumbprint of %1 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate %1 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, an ephemeral, self-signed certificate with thumbprint %2 is being used.



The cert does not show up when u run the get-exchangecertificate command.

How do I go about fixing this issue? AND can i fix this without interrupting service?
0
Comment
Question by:Allanore
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 27

Expert Comment

by:Steve
ID: 39267858
depends what you mean by fixing it really....

Either:

a) re-enable the missing SSL cert that should be in place and has gone faulty

or

b) remove an SSL that shouldnt be in use and isnt meanrt to be there in the first place
0
 
LVL 77

Expert Comment

by:arnold
ID: 39267951
The issue is likely that the certificate you generated is not for mail exchange.
Look at the certificate and see whether it has the mail exchange functions.

The error message includes directives that you should attempt.

Use certificates MMC for a service account, computer account. It should be in one of those
How did you generate/create the certificate? It might be in your user store. Export with private key. And then import it into the service/computer store.
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39268574
Does the get-exchangecertificate command return any certificates? %1 isn't a valid thumb print so your unlikely to find it listed there. Secure SMTP would normally use a 3rd party certificate and not a self signed one. All valid certificates installed on the server will be listed as well as any applied services such as http or smtp.

If you have no desire to send secure mail then you can assign a self signed certificate to smtp of if no certificates are listed as above, either generate a new self signed certificate or re install a 3rd party one purchased from whoever.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Allanore
ID: 39271451
It looks like a new certificate was created and the SMTP service is assigned to it. Would i need to apply the IMAP and POP services to this SSL in order for the alert to go away?

It looks like exchange is trying to find a cert that was removed and a new one was put in its place with only the SMTP service assigned to it.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39271710
Does the new certificate include mail exchanger functionality or is it merely a web certificate type (authenticate server identity, etc.)
The issue deals with when the CSR was generated did it include the attribute to indicate that the purpose included a mail exchange
If the attribute is missing, exchange rejects the certificate because it is incomplete.
0
 

Author Comment

by:Allanore
ID: 39272182
The intended purposes field shows Server Authentication, Client Authentication.

Also,  the certificate purposes option is set to "enable all purposes for this certificate"
0
 
LVL 77

Expert Comment

by:arnold
ID: 39272202
Check the certificate attributes.  I think there is a specific attribute that identifies exchange/mail exchanger type of service.

Do not have time right now to look at a certificate to provide an example, if you have an email provider that you use and has secure access (465) look at their certifiate for purposes of comparison.
I've seen the item is listed as mail exchanger, others there was a numerical 2.3.4.53.2.2.1 type of indicator for the attribute.

You need to know which attribute and how it is designated your particular system is looking for.
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39273062
Is the certificate listed as Self signed? If so then what services are assigned to it? Usually the self signed certificate will be enabled for all services but sometimes this doesn't happen. You can either use the GUI to assign services or use EMS, http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx

Either way you will need to know the thumbprint of the certificate and that can be returned by using the get-exchangecertificate command. Ensure it says its valid as well.
0
 

Author Comment

by:Allanore
ID: 39278605
The certificate with thumbprint ECDFAF745DFF39A1FE51C5922AEB77FA1B07CFB4 is no longer in the personal store. However, exchange thinks that it needs to look for that certificate.  Then it results to using another another cert that has SMTP enabled.

http://technet.microsoft.com/en-us/library/ff980665(v=exchg.141).aspx

In this article is says I need to run the New-ExchangeCertificate cmdlet to create a new certificate on the computer that returned this Error event.

We only have 1 exchange server and already have a cert set up for mail. If i run this specified command will it break anything?
0
 
LVL 14

Expert Comment

by:Radweld
ID: 39279054
As per my question above, are you using sf signed, pki or 3rd party certificate? If self signed then that command can generate a new self signed certificate, you still need to assign services. If not self signed that command will generate a CSR or certificate request that can be processed on an enterprise CA or by a 3rd party.
0
 

Author Comment

by:Allanore
ID: 39280153
Looks like the cert is a CA cert. The server is an enterprise CA, if i go to certsrv.msc i can locate the Certificate Templates node which according to this article only exists on Enterprise CA. http://social.technet.microsoft.com/Forums/windowsserver/en-US/83e759aa-b93f-4c9b-a7d2-955daf751c9a/is-ca-a-standalone-or-enterprise-ca
0
 
LVL 14

Accepted Solution

by:
Radweld earned 500 total points
ID: 39280772
I would have a read of this blog which documents the Certificates and Exchange 2010 and goes into detail with plenty of examples on how to generate a CSR, Process this CSR on an Enterprise CA, Complete the CSR and assign services.

http://exchangeserverpro.com/exchange-2010-ssl-certificates/

At this stage it's probably easier to replace the broken certificate with a new one and as long as it comes from the Enterprise CA there is a good chance your clients won't start generating errors when they log onto Exchange.

This wont make secure SMTP work though as to securely send mail you need a 3rd party or a certificate trusted by a public root CA. It's unlikely your trying to send mail securely anyway so I think you don't need to worry.

If you are exchanging securely with a partner using an internally generated CA then you would have performed a certificate exchange with the partner so they are able to validate and trust the certificate you use.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question