Learn how to a build a cloud-first strategyRegister Now


Exchange 2007 SSL certificate problem

Posted on 2013-10-31
Medium Priority
Last Modified: 2014-03-06

I am having an issue with my SSL config following renewal of my ssl certificate

I followed the method detailed here .....http://support.godaddy.com/help/article/4877/installing-an-ssl-certificate-in-microsoft-exchange-server-2007

This is the same method I followed 3 years ago when I originally imported the signed cert. The only difference being I had to drop my internal uris (eg domaincontroller.attwaters.local).

Imported through Exch Management Console and enabled for IIS, IMAP and SMTP.

get-exchangecertificate shows.....

Thumbprint                                      Services   Subject
7E182A1AFB72AF7D43105C957E8CE1  IP.WS      CN=mail.domain.com, O...
C0F43600D7E7B56B511647436E3B10    .....         CN=domains-DCSERVER-CA
599AEFEBF09B3821E94A6A592A8AF1    .....         CN=DCSERVER.domain.local
A718B39B69B7AD03D2B5E00FAEF51A  .....         CN=domains-DCSERVER-CA
71396D438AB2719652253C8E4E18C1   .....         CN=WMSvc-WIN-DD4E4LZ288I

My godaddy certificate
CN = mail.domain.com
OU = Domain Control Validated
DNS Name=mail.domain.com
DNS Name=www.mail.domain.com
DNS Name=autodiscover.domain.com
DNS Name=remote.domain.com

Since updating the cert, OWA, OAB, web services and RPC over HTTP FAIL.

OWA (Internal) gives a generic  "Internet connectivity has been lost." message.

Using MS Remote Connectivity Analyser, I get.....
Wasn't able to obtain the remote SSL certificate.
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

Other tools suggest that no certificate is offered on 443.

I have revoked, generated new csrs and repeated multiple times. iisresets, reboot etc and no joy.

Has anyone got any ideas where I need to look next?

Of, for info, SBS2008!

Many thanks.
Question by:noooodlez
  • 9
  • 6

Author Comment

ID: 39613724
Also, this is logged on our exchaange box.

Event Type:    Error
Event Source: MSExchangeTransport
Event Category:          TransportService
Event ID:         12014
Date:               31/10/2013
Time:               07:49:38
User:               N/A
Computer:       DC.DOMAINs.local
Microsoft Exchange could not find a certificate that contains the domain name DC.DOMAINs.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default DC with a FQDN parameter of DC.DOMAINs.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Seems to be suggesting that I need to use the smtp service on a certificate created by our internal CA!?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39614260
They are two unrelated problems.
The second issue you have posted is easy to resolve. Just go in to EMS and run


No switches or other options. An internal self signed certificate will be created that will stop the SMTP error message.

As for the first one - have you removed the old certificate?
If you run get-exchangecertificate do you see the new certificate and it is bound to the IIS service? (W).

Did you enable the certificate using the SBS wizard, or through Exchange?


Author Comment

ID: 39614628

I enabled the certificate through Exchange. The SBS wizard is broken (I inherited the network with a 192.0.0.x subnet which is technically a public subnet), The SBS wizard will not let me go beyond "connect to internet".

I ran the new-exchangecertificate command which worked with this message.

WARNING: This certificate will not be used for external TLS connections with an FQDN of 'DC.domain.local' because the CA-signed certificate with thumbprint '7BD905068E999AEFEBF09B9821E94A6A592A8AF0' takes precedence. The following connectors match that FQDN: Default Connector.

The 7bd9..... certificate is one that I was messing with, enabling services, and now cannot disable the SMTP service on it.

Do I need to do something with the connector to tell it to use the new certificate. I cannot see any options here, other than to use TLS.

Port redirection (443) on my router is unchanged. The request must get to my exchange box via the connector, so why is no certificate being offered?

I have also noticed that  
Get-OABVirtualDirectory | fl InternalUrl, ExternalUrl
Get-WebServicesVirtualDirectory | fl InternalUrl, ExternalUrl

only return internal addresses and not external

InternalUrl : https://server/ews/exchange.asmx
ExternalUrl :
InternalUrl : https://server/oab
ExternalUrl :

Does this look correct?

The old expired certificate is still in my personal store, but not imported in exchange.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 63

Accepted Solution

Simon Butler (Sembee) earned 2000 total points
ID: 39614789
As this is SBS, you need to get things corrected so that you can use the wizards properly.
I would start with running the Fix My Network wizard, see what that flags up.
If you run the Connect to the Internet wizard, does that complete?

SBS makes a lot of changes under the hood, more than you can do manually, so you need to configure it with the wizards.


Author Comment

ID: 39615203
Got that, but there's on way I can change the subnet range on this site! No, the connect to the internet wizard will not complete. It refuses to put the ip range in.

The fix my network wizard is a good starting point. I had forgotten about that. I will run it later and see what it flags up!

Author Comment

ID: 39616536
I ran through the fix my network wizard last night and let it run a couple of fixes.

On the SBS Console 'Activity' tab I could still see the expired UCC cert. I managed to delete the cert and allow SBS to generate new certs  (it created 2).

I cannot run many options on the connectivity tab as they a hinge on the "connect to the internet" function.

get exchangecertificate command now gives the output in the attached jpg file.
================== ==================

Disallowing internal domains on UCC certificates has complicated this somewhat. I need to work out how I now service my clients using 2 certificates.

What is my strategy for running on 2 certs??
What services should I see against the get-exchangecertificate output.

Currently state of play:
OWA (internal) is happy - https://sites/owa
Outlook client (internal) works - with a certificate error ('sites' certificate)
INCOMING SMTP IS BROKEN! I am POP3ing emails in! SMTP connects with 421 4.3.2 Service not available, closing transmission channel.

What next?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39617072
Sounds like the server is very broken.
When you try and run the Connect to the Internet wizard, what happens?

You cannot run two certificates - it is perfectly possible to run a single certificate. Outlook wouldn't normally use the Sites certificate, so there is something wrong there, probably again due to the wizards not being run (sorry to be boring and go on about the wizards).

Service not available usually means lack of disk space, or there is a problem with the Receive Connector configuration. Again using the wizards will resolve that in most cases.


Author Comment

ID: 39620969

I set up a router on a private IP, changed the server IP and allowed SBS to run it's wizards.

I have taken a snapshot of the certs / services as they are (the services are all over the place, and using 'enable-exchangecertificate -thumbprint xxx -services "None" doesn't seem to work.

I'm currently letting sbs create(csr)  it's own certificate using the remote.domain.com address and trying to keep everything as 'out of the box' as possible. See if it comes back up.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39621133
You cannot disable SSL certificates in that way. All you can do is enable other certificates for the services.
Running the wizards will generate the certificate that is required for internal use. If you have a trusted certificate on the server for remote.example.com then you can use the wizard to enable it. If it is for another name then you have two options.

1. Use the wizards to change to the name on the SSL certificate (you have to choose the Advanced option).
2. See if the SSL provider will allow you to rekey the certificate with the preferred remote.example.com host name.


Author Comment

ID: 39621723
Hi Simon.

Since temporarily changing subnet range, I have been able to run through the wizards, it was just the initial check on the "connect to the internet" wizard that blocked me!

HOWEVER, running through the "connect to internet" wizard on the wrong ip range broke some even more fundamental areas of the system, such as moving the DNS entries for the DC to the temporary subnet range!!!

My network really did not like this. Also, this caused the RODC on our remote network to lose it's link back to the PDC and fail!!

After a day of tweaking, and running the fix my network wizard over and over I am 90% back up and running.

Seems you were right to keep going on about the wizards!! My network is now only slightly broken!

Now I have one fundamental issue.

My UCC certificate used to service multiple domains. (i.e., mail.domain.com, remote.domain.com, DC.domaininternal.local etc).


Now I cannot have my internal DC as an alt name on my UCC certificate, all of my internal outlook clients are complaining of certificate errors!!! - As you have stated above, we can run with one certifricate, and this is the wrong one for internal Outlook.

I have tried routing 'mail.domain.com' direct to our DC through our internal DNS, however, when I create an exchange account in outlook it just resolves it straight to our SBS box (and ignored the dns entry which would serve the correct certificate)!

Is it possible to get everything happy? How do I set up my certificates to handle internal and external requests properly?

For info, OWA is happily using the remote.domain.com certificate and getting serviced properly!.

Nearly there. The vultures are off my back!

Author Comment

ID: 39621741
Oh, and for info, when I tried to move the exchange services between the certificates, the SMTP service 'stuck'. I ended up with SMTP on 4 certificates and no real way of working out the precedence.

Clearing out the dead wood from the exchange certificates simplified the job somewhat.

Author Comment

ID: 39621772
For info.....
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39622271
On the certificates for SMTP only, that is really easy to deal with.
Delete them all using remove-exchangecertificate.
One of them it will throw an error about. For that one, leave it alone, as that is the one being used by the system. That should leave you with two certificates - a self signed one and the trusted one.

As long as you have gone through the wizards, Exchange should start using the external host name internally. It will create the DNS records.
Crucial point here - the server must be the ONLY DNS server going to the clients, and in the network configuration and it must also be the DHCP server - not your router or anything else.


Author Comment

ID: 39627179

I haven't deleted the remainder of the certificates yet, but EXCHANGE is being serviced by my external certificate.

This includes, mail.domain.com, remote.domain.com, autodiscover.domain.com etc.

DNS to remote.domain.com does resolve internally! I have DNS on my RODC replicating, so isn't causing an issue.

Ideally my outlook clients should look to remote.domain.com to resolve the correct certificate (or mail.domain.com if I wish).

Thanks for your help on this Simon!

If I delete the Outlook profile, and set a new profile / exchange account, manually point it to remote.domain.com it automatically resolves the dns and configures on server.domain.local and serves the signed cert.

Same goes if I let it configure it's self. The only reference to

The problem to me is now on the client side. Not the end of the world, but all my users are asking what the cert error is all about!!!!
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39629528
You shouldn't get an SSL error at all.
The first thing I would do is when you get the error, open the certificate message and see what URL it is referring to.
Then do an Autodiscover test http://semb.ee/adt and see whether one of the URLs is wrong.


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question