tcampbell_nc
asked on
Exchange 2007 cert error 12014
I have a Windows 2008 server running Exchange 2007. Recently, our GoDaddy SSL Cert (UCC) was due to expire. I went through the process to reconfigure the exchange server to use a FDQN instead of the intranet name so I could renew the SSL Cert. I then renewed the cert, and all was well except for this MSExchangetransport 12014 error in my event logs. It states:
"Microsoft Exchange couldn't find a certificate that contains the domain name <servername>.<domain>.loca
This Exchange server has 4 Receive Connectors, the default, one for regular mail of authenticated users, and to more for specific internal IP Addresses that permit what is basically a mail relay. All 4 connectors show the FQDN as <servername>.<domain>.loca
Since .local is soon to be unsupported in an SSL certificate, we no longer have the intranet name listed in our UCC cert. Therefore, the error is correct.
I thought I could simply change the FQDN in my 4 receive connectors, but the Default connector will not permit it. So I researched and found differing opinions on what, if anything, could be done. Some folks say you CAN'T change the Default, where others say that disabling the Exchange Server Authentication on the Default will then let you change the FQDN.
Surely someone here has run into this and knows the correct course of action.
Thanks in advance for the input.
"Microsoft Exchange couldn't find a certificate that contains the domain name <servername>.<domain>.loca
This Exchange server has 4 Receive Connectors, the default, one for regular mail of authenticated users, and to more for specific internal IP Addresses that permit what is basically a mail relay. All 4 connectors show the FQDN as <servername>.<domain>.loca
Since .local is soon to be unsupported in an SSL certificate, we no longer have the intranet name listed in our UCC cert. Therefore, the error is correct.
I thought I could simply change the FQDN in my 4 receive connectors, but the Default connector will not permit it. So I researched and found differing opinions on what, if anything, could be done. Some folks say you CAN'T change the Default, where others say that disabling the Exchange Server Authentication on the Default will then let you change the FQDN.
Surely someone here has run into this and knows the correct course of action.
Thanks in advance for the input.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am only advocating replacing the trusted certificate with a self signed certificate for the SMTP role. Nothing else. The UC certificate is used for web services, client access etc (basically where clients are connecting). You would use a UC so that you can have both mail.example.com and Autodiscover.example.com in the SSL certificate.
Simon.
Simon.
ASKER
OK, I ran the "new-exchangecertificate" command. It generates a new cert, and asks if I want to "overwrite existing default SMTP certificate". I don't think I want to overwrite the certificate do I? or does this simply move the SMTP from the default to the new?
That is what you want to do. When you get that prompt say yes.
It only changes the SMTP certificate - your trusted certificate for web services is unaffected.
Simon.
It only changes the SMTP certificate - your trusted certificate for web services is unaffected.
Simon.
ASKER
Just for clarification, when I was prompted to overwrite the default SMTP Certificate, I said no. I was going to then "enable-exchangecertificat
I did not do the "Enable". I am monitoring the event logs and seeing no new Exchange Transport errors. I am thinking that by answering "No" to overwriting, that it created the new cert with SMTP without changing the UCC cert. Is that a fair statement, and will this cause any problems?
I did not do the "Enable". I am monitoring the event logs and seeing no new Exchange Transport errors. I am thinking that by answering "No" to overwriting, that it created the new cert with SMTP without changing the UCC cert. Is that a fair statement, and will this cause any problems?
ASKER
Let me also say that I have test mail flow in both directions and it seems to be working fine at this time.
All certificates get bound to the SMTP function by default.
You need to replace the default certificate.
Therefore I would remove the one that you have just created and run the command again, this time saying yes. Otherwise you will probably still get errors and warnings in the event logs.
Simon.
You need to replace the default certificate.
Therefore I would remove the one that you have just created and run the command again, this time saying yes. Otherwise you will probably still get errors and warnings in the event logs.
Simon.
ASKER
I still have SMTP on the UCC Cert and there have been no errors, so I leave it alone for now. Thanks for the assist.
ASKER