Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange 2007 SSL certificate problem

Posted on 2013-10-31
Medium Priority
Last Modified: 2014-03-06

I am having an issue with my SSL config following renewal of my ssl certificate

I followed the method detailed here .....http://support.godaddy.com/help/article/4877/installing-an-ssl-certificate-in-microsoft-exchange-server-2007

This is the same method I followed 3 years ago when I originally imported the signed cert. The only difference being I had to drop my internal uris (eg domaincontroller.attwaters.local).

Imported through Exch Management Console and enabled for IIS, IMAP and SMTP.

get-exchangecertificate shows.....

Thumbprint                                      Services   Subject
7E182A1AFB72AF7D43105C957E8CE1  IP.WS      CN=mail.domain.com, O...
C0F43600D7E7B56B511647436E3B10    .....         CN=domains-DCSERVER-CA
599AEFEBF09B3821E94A6A592A8AF1    .....         CN=DCSERVER.domain.local
A718B39B69B7AD03D2B5E00FAEF51A  .....         CN=domains-DCSERVER-CA
71396D438AB2719652253C8E4E18C1   .....         CN=WMSvc-WIN-DD4E4LZ288I

My godaddy certificate
CN = mail.domain.com
OU = Domain Control Validated
DNS Name=mail.domain.com
DNS Name=www.mail.domain.com
DNS Name=autodiscover.domain.com
DNS Name=remote.domain.com

Since updating the cert, OWA, OAB, web services and RPC over HTTP FAIL.

OWA (Internal) gives a generic  "Internet connectivity has been lost." message.

Using MS Remote Connectivity Analyser, I get.....
Wasn't able to obtain the remote SSL certificate.
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

Other tools suggest that no certificate is offered on 443.

I have revoked, generated new csrs and repeated multiple times. iisresets, reboot etc and no joy.

Has anyone got any ideas where I need to look next?

Of, for info, SBS2008!

Many thanks.
Question by:noooodlez
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6

Author Comment

ID: 39613724
Also, this is logged on our exchaange box.

Event Type:    Error
Event Source: MSExchangeTransport
Event Category:          TransportService
Event ID:         12014
Date:               31/10/2013
Time:               07:49:38
User:               N/A
Computer:       DC.DOMAINs.local
Microsoft Exchange could not find a certificate that contains the domain name DC.DOMAINs.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default DC with a FQDN parameter of DC.DOMAINs.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Seems to be suggesting that I need to use the smtp service on a certificate created by our internal CA!?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39614260
They are two unrelated problems.
The second issue you have posted is easy to resolve. Just go in to EMS and run


No switches or other options. An internal self signed certificate will be created that will stop the SMTP error message.

As for the first one - have you removed the old certificate?
If you run get-exchangecertificate do you see the new certificate and it is bound to the IIS service? (W).

Did you enable the certificate using the SBS wizard, or through Exchange?


Author Comment

ID: 39614628

I enabled the certificate through Exchange. The SBS wizard is broken (I inherited the network with a 192.0.0.x subnet which is technically a public subnet), The SBS wizard will not let me go beyond "connect to internet".

I ran the new-exchangecertificate command which worked with this message.

WARNING: This certificate will not be used for external TLS connections with an FQDN of 'DC.domain.local' because the CA-signed certificate with thumbprint '7BD905068E999AEFEBF09B9821E94A6A592A8AF0' takes precedence. The following connectors match that FQDN: Default Connector.

The 7bd9..... certificate is one that I was messing with, enabling services, and now cannot disable the SMTP service on it.

Do I need to do something with the connector to tell it to use the new certificate. I cannot see any options here, other than to use TLS.

Port redirection (443) on my router is unchanged. The request must get to my exchange box via the connector, so why is no certificate being offered?

I have also noticed that  
Get-OABVirtualDirectory | fl InternalUrl, ExternalUrl
Get-WebServicesVirtualDirectory | fl InternalUrl, ExternalUrl

only return internal addresses and not external

InternalUrl : https://server/ews/exchange.asmx
ExternalUrl :
InternalUrl : https://server/oab
ExternalUrl :

Does this look correct?

The old expired certificate is still in my personal store, but not imported in exchange.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 63

Accepted Solution

Simon Butler (Sembee) earned 2000 total points
ID: 39614789
As this is SBS, you need to get things corrected so that you can use the wizards properly.
I would start with running the Fix My Network wizard, see what that flags up.
If you run the Connect to the Internet wizard, does that complete?

SBS makes a lot of changes under the hood, more than you can do manually, so you need to configure it with the wizards.


Author Comment

ID: 39615203
Got that, but there's on way I can change the subnet range on this site! No, the connect to the internet wizard will not complete. It refuses to put the ip range in.

The fix my network wizard is a good starting point. I had forgotten about that. I will run it later and see what it flags up!

Author Comment

ID: 39616536
I ran through the fix my network wizard last night and let it run a couple of fixes.

On the SBS Console 'Activity' tab I could still see the expired UCC cert. I managed to delete the cert and allow SBS to generate new certs  (it created 2).

I cannot run many options on the connectivity tab as they a hinge on the "connect to the internet" function.

get exchangecertificate command now gives the output in the attached jpg file.
================== ==================

Disallowing internal domains on UCC certificates has complicated this somewhat. I need to work out how I now service my clients using 2 certificates.

What is my strategy for running on 2 certs??
What services should I see against the get-exchangecertificate output.

Currently state of play:
OWA (internal) is happy - https://sites/owa
Outlook client (internal) works - with a certificate error ('sites' certificate)
INCOMING SMTP IS BROKEN! I am POP3ing emails in! SMTP connects with 421 4.3.2 Service not available, closing transmission channel.

What next?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39617072
Sounds like the server is very broken.
When you try and run the Connect to the Internet wizard, what happens?

You cannot run two certificates - it is perfectly possible to run a single certificate. Outlook wouldn't normally use the Sites certificate, so there is something wrong there, probably again due to the wizards not being run (sorry to be boring and go on about the wizards).

Service not available usually means lack of disk space, or there is a problem with the Receive Connector configuration. Again using the wizards will resolve that in most cases.


Author Comment

ID: 39620969

I set up a router on a private IP, changed the server IP and allowed SBS to run it's wizards.

I have taken a snapshot of the certs / services as they are (the services are all over the place, and using 'enable-exchangecertificate -thumbprint xxx -services "None" doesn't seem to work.

I'm currently letting sbs create(csr)  it's own certificate using the remote.domain.com address and trying to keep everything as 'out of the box' as possible. See if it comes back up.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39621133
You cannot disable SSL certificates in that way. All you can do is enable other certificates for the services.
Running the wizards will generate the certificate that is required for internal use. If you have a trusted certificate on the server for remote.example.com then you can use the wizard to enable it. If it is for another name then you have two options.

1. Use the wizards to change to the name on the SSL certificate (you have to choose the Advanced option).
2. See if the SSL provider will allow you to rekey the certificate with the preferred remote.example.com host name.


Author Comment

ID: 39621723
Hi Simon.

Since temporarily changing subnet range, I have been able to run through the wizards, it was just the initial check on the "connect to the internet" wizard that blocked me!

HOWEVER, running through the "connect to internet" wizard on the wrong ip range broke some even more fundamental areas of the system, such as moving the DNS entries for the DC to the temporary subnet range!!!

My network really did not like this. Also, this caused the RODC on our remote network to lose it's link back to the PDC and fail!!

After a day of tweaking, and running the fix my network wizard over and over I am 90% back up and running.

Seems you were right to keep going on about the wizards!! My network is now only slightly broken!

Now I have one fundamental issue.

My UCC certificate used to service multiple domains. (i.e., mail.domain.com, remote.domain.com, DC.domaininternal.local etc).


Now I cannot have my internal DC as an alt name on my UCC certificate, all of my internal outlook clients are complaining of certificate errors!!! - As you have stated above, we can run with one certifricate, and this is the wrong one for internal Outlook.

I have tried routing 'mail.domain.com' direct to our DC through our internal DNS, however, when I create an exchange account in outlook it just resolves it straight to our SBS box (and ignored the dns entry which would serve the correct certificate)!

Is it possible to get everything happy? How do I set up my certificates to handle internal and external requests properly?

For info, OWA is happily using the remote.domain.com certificate and getting serviced properly!.

Nearly there. The vultures are off my back!

Author Comment

ID: 39621741
Oh, and for info, when I tried to move the exchange services between the certificates, the SMTP service 'stuck'. I ended up with SMTP on 4 certificates and no real way of working out the precedence.

Clearing out the dead wood from the exchange certificates simplified the job somewhat.

Author Comment

ID: 39621772
For info.....
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39622271
On the certificates for SMTP only, that is really easy to deal with.
Delete them all using remove-exchangecertificate.
One of them it will throw an error about. For that one, leave it alone, as that is the one being used by the system. That should leave you with two certificates - a self signed one and the trusted one.

As long as you have gone through the wizards, Exchange should start using the external host name internally. It will create the DNS records.
Crucial point here - the server must be the ONLY DNS server going to the clients, and in the network configuration and it must also be the DHCP server - not your router or anything else.


Author Comment

ID: 39627179

I haven't deleted the remainder of the certificates yet, but EXCHANGE is being serviced by my external certificate.

This includes, mail.domain.com, remote.domain.com, autodiscover.domain.com etc.

DNS to remote.domain.com does resolve internally! I have DNS on my RODC replicating, so isn't causing an issue.

Ideally my outlook clients should look to remote.domain.com to resolve the correct certificate (or mail.domain.com if I wish).

Thanks for your help on this Simon!

If I delete the Outlook profile, and set a new profile / exchange account, manually point it to remote.domain.com it automatically resolves the dns and configures on server.domain.local and serves the signed cert.

Same goes if I let it configure it's self. The only reference to

The problem to me is now on the client side. Not the end of the world, but all my users are asking what the cert error is all about!!!!
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39629528
You shouldn't get an SSL error at all.
The first thing I would do is when you get the error, open the certificate message and see what URL it is referring to.
Then do an Autodiscover test http://semb.ee/adt and see whether one of the URLs is wrong.


Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question