Don’t think my last email got through. For the cas that doesn’t
have a self signed cert generate a new one. Generating Self-Signed Certificates To generate a self-signed certificate for use by the SMTP
service for a server that has the host name of Server1 and a domain of
fourthcoffee.com, run the following command: New-ExchangeCertificate -DomainName
"server1.fourthcoffee.com", "server1" -Services
"SMTP" For cas that has cert but expired; you can clone existing one. Cloning Self-Signed Certificates If an existing self-signed certificate has to be renewed, you
can clone it by running the following command: Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate The thumbprint placeholder is the thumbprint of the certificate
to be renewed. The services for the new certificate can also be specified in
the command as follows: Get-ExchangeCertificate <thumbprint> |
New-ExchangeCertificate -Services SMTP,POP,IMAP You can then enable this certificate by running the following
command: Enable-ExchangeCertificate <thumbprint> Certificate
Use in Exchange Server 2007 (Section Generating Self-Signed Certificates) http://technet.microsoft.com/en-us/library/bb851505.aspx James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From:
exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On
Behalf Of Amit Kapoor Hi James, I tried the command given by you in the below mail. We have two hub
servers. On both the Hub servers, verisign certificate is installed. But no
self signed certificate exists on one server, where as on the second server
there are two self signed certificate exists but both of them showing as
invalid in status as they are expired. Do we need to have internal self signed
certificate as well when we have external certificate installed. Do we need to renew those internal self signed certificate to make
the SMTP working on MAC mail. These are the details I got for internal self signed certificates.
On second server there is no certificate like this. ==========================================================
CertificateDomains : {sc-owamail.extremenetworks.com} HasPrivateKey : True IsSelfSigned : True Issuer
: CN=sc-owamail.extremenetworks.com NotAfter
: 11/6/2008 3:58:03 AM NotBefore :
11/6/2007 9:58:03 PM PublicKeySize : 2048 RootCAType :
Unknown SerialNumber :
7BD08DD642E1EEBB4129247F96EF9F09 Services
: None Status
: Invalid Subject
: CN=sc-owamail.extremenetworks.com Thumbprint :
A462D2CD65F1FAC547DD25453591FEB2F14FB4DF AccessRules :
{System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {sc-owamail.extremenetworks.com} HasPrivateKey : True IsSelfSigned : True Issuer
: CN=sc-owamail.extremenetworks.com, C="com O=extremenetwork
s
organization" NotAfter
: 11/5/2008 11:02:45 PM NotBefore :
11/6/2007 5:02:45 PM PublicKeySize : 2048 RootCAType :
Unknown SerialNumber :
1D378AB3D356DFA84B416849713107CB Services
: None Status
: Invalid Subject
: CN=sc-owamail.extremenetworks.com, C="com O=extremenetwork
s organization" Thumbprint :
CB3A9A1455ECA81A27530C0C51C5A5706480405B ============================================================ Please suggest what should we do? Regards, Amit Kapoor From:
exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On
Behalf Of James Chong This can also happen if your send\receive connectors FQDN
(specify the fqdn this connector will provide in response to HELO or EHLO) does
not match your cert name as event indicates; but since you mentioned that it
expired; it’s probably related to that. James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From: James Chong Get-Exchangecertificate |FL You need to enable the cert that has your netbios name. The
cert needs to be valid and not expired. James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Amit Kapoor Hi James, We are getting the below mentioned error in the event logs.
Event ID for this 12014 and Event Source is MSExchange Tranport. ============================================ Microsoft Exchange couldn't find
a certificate that contains the domain name <server name> in the personal
store on the local computer. Therefore, it is unable to support the STARTTLS
SMTP verb for the connector Outgoing with a FQDN parameter of <server
name>. If the connector's FQDN is not specified, the computer's FQDN is
used. Verify the connector configuration and the installed certificates to make
sure that there is a certificate with a domain name for that FQDN. If this
certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure
that the Microsoft Exchange Transport service has access to the certificate
key. ==========================================================
When I search for the list of certificates on the Hub
server, it shows me a long list of certificates. How do I check which
certificate I had to install or renew. Regards, Amit Kapoor From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of James Chong If you did not get a SAN cert that included your netbios
name, then yes. You need to run new-exchangecertificate to generate request;
upload to your CA server. Download the cert , import the cert, and enable the
cert for IMAP. James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Amit Kapoor Hi, We have exchange 2007 in out network. Few days back we have
renewed our SSL certificate on Exchange Servers at different sites, those were
purchased from Verisign. Everything was working fine, till few users reported
problem in connecting to mail server using IMAP, MAC, thunderbird etc. We have
checked on the server it is giving error for some internal self signed
certificate expiry. Do we need to re-install the self signed certificate for
SMTP as users are not able to send emails using the MAC, Thunderbird etc. Please suggest. Regards, Amit Kapoor DISCLAIMER: DISCLAIMER: DISCLAIMER: |