Certificate in Exchange 2010 on SBS2011


I have started to get the below error a few days ago.  I'm not shy, but I'm guessing something in a patch.

12014 MSEXCHANGE transport

Microsoft Exchange could not find a certificate that contains the domain name antispamsrv.widgets.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector default smtp with a FQDN parameter of antispamsrv.widgets.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Our layout is that we have an antispam server in front of the SBS server and exchange.

Currently the mx record points to that, I'm calling it antispamsrv.widgets.com.  So there is in fact no cert with that name on it.  

Can I do a self signed cert or do i need to get a commercial one?  Do I just get one with the antispamsrv.widgets.com name in it?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You create a self-signed cert and run the Enable-ExchangeCertificate -Services SMTP for that cert.
Here are the steps on creating the new self signed cert

New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName woodgrovebank.com, example.com -PrivateKeyExportable $true

Change the values to suit your scenario

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon Butler (Sembee)ConsultantCommented:
Have you set the FQDN in Exchange anywhere to match that host name? The fact that you have a filtering appliance in front shouldn't affect SBS in anyway.

What that would mean is there would be three host names involved:


As for certificate choice - ideally you should have a trusted certificate in place for the web services on Exchange and SBS.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I would suggest verifying the values before making any changes.

Get-ExchangeCertificate | FL *

Get-ReceiveConnector | FL name, fqdn, objectClass

Get-SendConnector | FL name, fqdn, objectClass
mcioffi209Author Commented:
Thanks for the suggestions.  I will look at this more tonight and get back to this.
mcioffi209Author Commented:
Thanks this helped a lot.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.