Yes; your default connectors use self signed cert. You can
change the FQDN on your CUSTOM connectors to match your external verisign cert;
but not your default connectors. You Go ahead and create your self
signed certs. http://technet.microsoft.com/en-us/library/aa996395(EXCHG.80).aspx Don’t modify the FQDN value on the default Receive
connector named “Default <Server Name>” that is automatically
created on Hub Transport servers. If you have multiple Hub Transport servers in
your Exchange organization and you change the FQDN value on the “Default
<Server Name>” Receive connector, internal mail flow between Hub
Transport servers will fail. James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From:
exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On
Behalf Of Amit Kapoor Hi James, One question before we renew those certificate. Do we need internal
self signed when we have certificate from Verisign. We had purchased
certificate for outlook webaccess name. Earlier users were able to send receive
email using mac mail client, but since the certificate has expired they are not
able to do so. We have renewed certificate from verisign but not the internal
self signed one. Do you think we have to renew self signed as well. Can you
provide me some from Microsoft which states we need to renew self signed as
well as I had convince management for the same. Regards, Amit Kapoor From:
exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On
Behalf Of James Chong Don’t think my last email got through. For the cas
that doesn’t have a self signed cert generate a new one. Generating Self-Signed Certificates To generate a self-signed certificate for use by the SMTP
service for a server that has the host name of Server1 and a domain of
fourthcoffee.com, run the following command: New-ExchangeCertificate -DomainName
"server1.fourthcoffee.com", "server1" -Services
"SMTP" For cas that has cert but expired; you can clone existing
one. Cloning Self-Signed Certificates If an existing self-signed certificate has to be renewed,
you can clone it by running the following command: Get-ExchangeCertificate <thumbprint> |
New-ExchangeCertificate The thumbprint placeholder is the thumbprint of the
certificate to be renewed. The services for the new certificate can also be
specified in the command as follows: Get-ExchangeCertificate <thumbprint> |
New-ExchangeCertificate -Services SMTP,POP,IMAP You can then enable this certificate by running the
following command: Enable-ExchangeCertificate <thumbprint> Certificate Use in Exchange Server 2007 (Section Generating
Self-Signed Certificates) http://technet.microsoft.com/en-us/library/bb851505.aspx James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Amit Kapoor Hi James, I tried the command given by you in the below mail. We have
two hub servers. On both the Hub servers, verisign certificate is installed.
But no self signed certificate exists on one server, where as on the second
server there are two self signed certificate exists but both of them showing as
invalid in status as they are expired. Do we need to have internal self signed
certificate as well when we have external certificate installed. Do we need to renew those internal self signed certificate
to make the SMTP working on MAC mail. These are the details I got for internal self signed
certificates. On second server there is no certificate like this. ==========================================================
CertificateDomains : {sc-owamail.extremenetworks.com} HasPrivateKey : True IsSelfSigned : True Issuer
: CN=sc-owamail.extremenetworks.com NotAfter
: 11/6/2008 3:58:03 AM NotBefore
: 11/6/2007 9:58:03 PM PublicKeySize : 2048 RootCAType :
Unknown SerialNumber :
7BD08DD642E1EEBB4129247F96EF9F09 Services
: None Status
: Invalid Subject
: CN=sc-owamail.extremenetworks.com Thumbprint :
A462D2CD65F1FAC547DD25453591FEB2F14FB4DF AccessRules :
{System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {sc-owamail.extremenetworks.com} HasPrivateKey : True IsSelfSigned : True Issuer
: CN=sc-owamail.extremenetworks.com, C="com O=extremenetwork
s
organization" NotAfter
: 11/5/2008 11:02:45 PM NotBefore
: 11/6/2007 5:02:45 PM PublicKeySize : 2048 RootCAType :
Unknown SerialNumber :
1D378AB3D356DFA84B416849713107CB Services
: None Status
: Invalid Subject
: CN=sc-owamail.extremenetworks.com, C="com O=extremenetwork
s organization" Thumbprint :
CB3A9A1455ECA81A27530C0C51C5A5706480405B ============================================================
Please suggest what should we do? Regards, Amit Kapoor From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of James Chong This can also happen if your send\receive connectors FQDN
(specify the fqdn this connector will provide in response to HELO or EHLO) does
not match your cert name as event indicates; but since you mentioned that it
expired; it’s probably related to that. James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From: James Chong Get-Exchangecertificate |FL You need to enable the cert that has your netbios name. The
cert needs to be valid and not expired. James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Amit Kapoor Hi James, We are getting the below mentioned error in the event logs.
Event ID for this 12014 and Event Source is MSExchange Tranport. ============================================ Microsoft Exchange couldn't find
a certificate that contains the domain name <server name> in the personal
store on the local computer. Therefore, it is unable to support the STARTTLS
SMTP verb for the connector Outgoing with a FQDN parameter of <server
name>. If the connector's FQDN is not specified, the computer's FQDN is
used. Verify the connector configuration and the installed certificates to make
sure that there is a certificate with a domain name for that FQDN. If this certificate
exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the
Microsoft Exchange Transport service has access to the certificate key. ==========================================================
When I search for the list of certificates on the Hub
server, it shows me a long list of certificates. How do I check which
certificate I had to install or renew. Regards, Amit Kapoor From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of James Chong If you did not get a SAN cert that included your netbios
name, then yes. You need to run new-exchangecertificate to generate request;
upload to your CA server. Download the cert , import the cert, and enable the
cert for IMAP. James Chong 11130 Sunrise Valley Drive, Suite 300 Reston, VA 20191 From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Amit Kapoor Hi, We have exchange 2007 in out network. Few days back we have
renewed our SSL certificate on Exchange Servers at different sites, those were
purchased from Verisign. Everything was working fine, till few users reported
problem in connecting to mail server using IMAP, MAC, thunderbird etc. We have
checked on the server it is giving error for some internal self signed
certificate expiry. Do we need to re-install the self signed certificate for
SMTP as users are not able to send emails using the MAC, Thunderbird etc. Please suggest. Regards, Amit Kapoor DISCLAIMER: DISCLAIMER: DISCLAIMER: DISCLAIMER: |