• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ExchangeCertificate HELP! Plz!!!!!!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Installation >> ExchangeCertificate HELP! Plz!!!!!! Page: [1]
Login
Message << Older Topic   Newer Topic >>
ExchangeCertificate HELP! Plz!!!!!! - 17.Sep.2009 5:53:41 AM   
kdcollinson

 

Posts: 4
Joined: 17.Sep.2009
Status: offline
HI All,

Have an Exchange Svr 07 problem.

Local domain i.e Local.Domain.Com

The MX and DNS is External.Domain.com.

When i set the connectors to EHLO Mail.External.Domain.Com event log starts to populate with "Microsoft Exchange couldn't find a certificate".

What is the basic easy command to create a self certified cert created by the exchange server to resolve this problem and to assign the cert to the Connectors?

Thx,
Karl.
Post #: 1
RE: ExchangeCertificate HELP! Plz!!!!!! - 17.Sep.2009 9:12:26 AM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
Part of the TLS selection process is that it tries to find a matching FQDN in the local certificates store that is enabled for SMTP based on the FQDN on the connector.  If it can't find one, it still falls back to using the self-signed certificate.  Yes, you get certificate warnings, but again, it'll still fallback to the self-signed certificate.

In your case, you'll want to make sure either is true:
1. You still have a self-signed certificate that is assigned to SMTP so the fallback mechanism works.
2. Obtain a certificate that contains your connector's FQDN and assign it to SMTP.

I wrote an article on this a while back.  Maybe it'll help you understand more as I provide links to the MS articles that discuss this more in depth.
http://www.shudnow.net/2008/11/08/exchange-2007-mail-flow-dns-records-connectors-and-tls/

The section you will want to take a look at is:
DNS PTR Record(s) and SMTP Banner(s) (Send/Receive Connector FQDNs)

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to kdcollinson)
Post #: 2
RE: ExchangeCertificate HELP! Plz!!!!!! - 17.Sep.2009 10:05:20 AM   
kdcollinson

 

Posts: 4
Joined: 17.Sep.2009
Status: offline
Thx Elan!
Will read that in a moment, in the mean time i have failed the server back to server.local.domain on the SMTP send and recieve.

I am now getting the same error for the local domain now, i have checked to see the following:
Cert exists
Is enabled for services (SMTP, POP, IIS, IMAP)
Valid

No other certs exisits, i have also used the "enabled" command on the SMTP service on the original cert.

Exchange has also been rebooted, still retain the same error...

Any ideas?
Pulling my hair out with this....
Thanks,
Karl.

(in reply to Elan Shudnow)
Post #: 3
RE: ExchangeCertificate HELP! Plz!!!!!! - 17.Sep.2009 12:09:56 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
Can you please post the exact error you're getting?

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to kdcollinson)
Post #: 4
RE: ExchangeCertificate HELP! Plz!!!!!! - 17.Sep.2009 12:21:21 PM   
kdcollinson

 

Posts: 4
Joined: 17.Sep.2009
Status: offline
Thx!!

Microsoft Exchange couldn't find a certificate that contains the domain name ex2003.hayward.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SMTP with a FQDN parameter of ex2003.hayward.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used......

The file is located in IIS under default site, when i do a get-exchangecert its there (No other Certs)

I removed all certs in IIS, restarted the relevent services...
recreated the cert using your tool ;-)
New-ExchangeCertificate -GenerateRequest -Path c:\ex2003_hayward_co_uk.csr -KeySize 2048 -SubjectName "c=GB, s=, l=, o=Hayward, cn=ex2003.hayward.co.uk" -PrivateKeyExportable $True
*** (Have just noticed when i do a |FL * the status is invalid)

(in reply to Elan Shudnow)
Post #: 5
RE: ExchangeCertificate HELP! Plz!!!!!! - 17.Sep.2009 12:29:23 PM   
kdcollinson

 

Posts: 4
Joined: 17.Sep.2009
Status: offline
O, i had to move the Cert in the cert.mmc into the personal from the cert enrollment requests in order for me to be able to enable the smtp service on its thumbprint.

Thanks!!!
Karl.

(in reply to kdcollinson)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Installation >> ExchangeCertificate HELP! Plz!!!!!! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter