Exchange 2007 SSL certificate problem


I am having an issue with my SSL config following renewal of my ssl certificate

I followed the method detailed here .....

This is the same method I followed 3 years ago when I originally imported the signed cert. The only difference being I had to drop my internal uris (eg domaincontroller.attwaters.local).

Imported through Exch Management Console and enabled for IIS, IMAP and SMTP.

get-exchangecertificate shows.....

Thumbprint                                      Services   Subject
7E182A1AFB72AF7D43105C957E8CE1  IP.WS, O...
C0F43600D7E7B56B511647436E3B10    .....         CN=domains-DCSERVER-CA
599AEFEBF09B3821E94A6A592A8AF1    .....         CN=DCSERVER.domain.local
A718B39B69B7AD03D2B5E00FAEF51A  .....         CN=domains-DCSERVER-CA
71396D438AB2719652253C8E4E18C1   .....         CN=WMSvc-WIN-DD4E4LZ288I

My godaddy certificate
CN =
OU = Domain Control Validated

Since updating the cert, OWA, OAB, web services and RPC over HTTP FAIL.

OWA (Internal) gives a generic  "Internet connectivity has been lost." message.

Using MS Remote Connectivity Analyser, I get.....
Wasn't able to obtain the remote SSL certificate.
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

Other tools suggest that no certificate is offered on 443.

I have revoked, generated new csrs and repeated multiple times. iisresets, reboot etc and no joy.

Has anyone got any ideas where I need to look next?

Of, for info, SBS2008!

Many thanks.
Who is Participating?
Simon Butler (Sembee)ConsultantCommented:
As this is SBS, you need to get things corrected so that you can use the wizards properly.
I would start with running the Fix My Network wizard, see what that flags up.
If you run the Connect to the Internet wizard, does that complete?

SBS makes a lot of changes under the hood, more than you can do manually, so you need to configure it with the wizards.

noooodlezAuthor Commented:
Also, this is logged on our exchaange box.

Event Type:    Error
Event Source: MSExchangeTransport
Event Category:          TransportService
Event ID:         12014
Date:               31/10/2013
Time:               07:49:38
User:               N/A
Computer:       DC.DOMAINs.local
Microsoft Exchange could not find a certificate that contains the domain name DC.DOMAINs.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default DC with a FQDN parameter of DC.DOMAINs.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Seems to be suggesting that I need to use the smtp service on a certificate created by our internal CA!?
Simon Butler (Sembee)ConsultantCommented:
They are two unrelated problems.
The second issue you have posted is easy to resolve. Just go in to EMS and run


No switches or other options. An internal self signed certificate will be created that will stop the SMTP error message.

As for the first one - have you removed the old certificate?
If you run get-exchangecertificate do you see the new certificate and it is bound to the IIS service? (W).

Did you enable the certificate using the SBS wizard, or through Exchange?

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

noooodlezAuthor Commented:

I enabled the certificate through Exchange. The SBS wizard is broken (I inherited the network with a 192.0.0.x subnet which is technically a public subnet), The SBS wizard will not let me go beyond "connect to internet".

I ran the new-exchangecertificate command which worked with this message.

WARNING: This certificate will not be used for external TLS connections with an FQDN of 'DC.domain.local' because the CA-signed certificate with thumbprint '7BD905068E999AEFEBF09B9821E94A6A592A8AF0' takes precedence. The following connectors match that FQDN: Default Connector.

The 7bd9..... certificate is one that I was messing with, enabling services, and now cannot disable the SMTP service on it.

Do I need to do something with the connector to tell it to use the new certificate. I cannot see any options here, other than to use TLS.

Port redirection (443) on my router is unchanged. The request must get to my exchange box via the connector, so why is no certificate being offered?

I have also noticed that  
Get-OABVirtualDirectory | fl InternalUrl, ExternalUrl
Get-WebServicesVirtualDirectory | fl InternalUrl, ExternalUrl

only return internal addresses and not external

InternalUrl : https://server/ews/exchange.asmx
ExternalUrl :
InternalUrl : https://server/oab
ExternalUrl :

Does this look correct?

The old expired certificate is still in my personal store, but not imported in exchange.
noooodlezAuthor Commented:
Got that, but there's on way I can change the subnet range on this site! No, the connect to the internet wizard will not complete. It refuses to put the ip range in.

The fix my network wizard is a good starting point. I had forgotten about that. I will run it later and see what it flags up!
noooodlezAuthor Commented:
I ran through the fix my network wizard last night and let it run a couple of fixes.

On the SBS Console 'Activity' tab I could still see the expired UCC cert. I managed to delete the cert and allow SBS to generate new certs  (it created 2).

I cannot run many options on the connectivity tab as they a hinge on the "connect to the internet" function.

get exchangecertificate command now gives the output in the attached jpg file.
================== ==================

Disallowing internal domains on UCC certificates has complicated this somewhat. I need to work out how I now service my clients using 2 certificates.

What is my strategy for running on 2 certs??
What services should I see against the get-exchangecertificate output.

Currently state of play:
OWA (internal) is happy - https://sites/owa
Outlook client (internal) works - with a certificate error ('sites' certificate)
INCOMING SMTP IS BROKEN! I am POP3ing emails in! SMTP connects with 421 4.3.2 Service not available, closing transmission channel.

What next?
Simon Butler (Sembee)ConsultantCommented:
Sounds like the server is very broken.
When you try and run the Connect to the Internet wizard, what happens?

You cannot run two certificates - it is perfectly possible to run a single certificate. Outlook wouldn't normally use the Sites certificate, so there is something wrong there, probably again due to the wizards not being run (sorry to be boring and go on about the wizards).

Service not available usually means lack of disk space, or there is a problem with the Receive Connector configuration. Again using the wizards will resolve that in most cases.

noooodlezAuthor Commented:

I set up a router on a private IP, changed the server IP and allowed SBS to run it's wizards.

I have taken a snapshot of the certs / services as they are (the services are all over the place, and using 'enable-exchangecertificate -thumbprint xxx -services "None" doesn't seem to work.

I'm currently letting sbs create(csr)  it's own certificate using the address and trying to keep everything as 'out of the box' as possible. See if it comes back up.
Simon Butler (Sembee)ConsultantCommented:
You cannot disable SSL certificates in that way. All you can do is enable other certificates for the services.
Running the wizards will generate the certificate that is required for internal use. If you have a trusted certificate on the server for then you can use the wizard to enable it. If it is for another name then you have two options.

1. Use the wizards to change to the name on the SSL certificate (you have to choose the Advanced option).
2. See if the SSL provider will allow you to rekey the certificate with the preferred host name.

noooodlezAuthor Commented:
Hi Simon.

Since temporarily changing subnet range, I have been able to run through the wizards, it was just the initial check on the "connect to the internet" wizard that blocked me!

HOWEVER, running through the "connect to internet" wizard on the wrong ip range broke some even more fundamental areas of the system, such as moving the DNS entries for the DC to the temporary subnet range!!!

My network really did not like this. Also, this caused the RODC on our remote network to lose it's link back to the PDC and fail!!

After a day of tweaking, and running the fix my network wizard over and over I am 90% back up and running.

Seems you were right to keep going on about the wizards!! My network is now only slightly broken!

Now I have one fundamental issue.

My UCC certificate used to service multiple domains. (i.e.,,, DC.domaininternal.local etc).

Now I cannot have my internal DC as an alt name on my UCC certificate, all of my internal outlook clients are complaining of certificate errors!!! - As you have stated above, we can run with one certifricate, and this is the wrong one for internal Outlook.

I have tried routing '' direct to our DC through our internal DNS, however, when I create an exchange account in outlook it just resolves it straight to our SBS box (and ignored the dns entry which would serve the correct certificate)!

Is it possible to get everything happy? How do I set up my certificates to handle internal and external requests properly?

For info, OWA is happily using the certificate and getting serviced properly!.

Nearly there. The vultures are off my back!
noooodlezAuthor Commented:
Oh, and for info, when I tried to move the exchange services between the certificates, the SMTP service 'stuck'. I ended up with SMTP on 4 certificates and no real way of working out the precedence.

Clearing out the dead wood from the exchange certificates simplified the job somewhat.
noooodlezAuthor Commented:
For info.....
Simon Butler (Sembee)ConsultantCommented:
On the certificates for SMTP only, that is really easy to deal with.
Delete them all using remove-exchangecertificate.
One of them it will throw an error about. For that one, leave it alone, as that is the one being used by the system. That should leave you with two certificates - a self signed one and the trusted one.

As long as you have gone through the wizards, Exchange should start using the external host name internally. It will create the DNS records.
Crucial point here - the server must be the ONLY DNS server going to the clients, and in the network configuration and it must also be the DHCP server - not your router or anything else.

noooodlezAuthor Commented:

I haven't deleted the remainder of the certificates yet, but EXCHANGE is being serviced by my external certificate.

This includes,,, etc.

DNS to does resolve internally! I have DNS on my RODC replicating, so isn't causing an issue.

Ideally my outlook clients should look to to resolve the correct certificate (or if I wish).

Thanks for your help on this Simon!

If I delete the Outlook profile, and set a new profile / exchange account, manually point it to it automatically resolves the dns and configures on server.domain.local and serves the signed cert.

Same goes if I let it configure it's self. The only reference to

The problem to me is now on the client side. Not the end of the world, but all my users are asking what the cert error is all about!!!!
Simon Butler (Sembee)ConsultantCommented:
You shouldn't get an SSL error at all.
The first thing I would do is when you get the error, open the certificate message and see what URL it is referring to.
Then do an Autodiscover test and see whether one of the URLs is wrong.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.