Exchange 2010 Self-Signed Certificate Issue
Hi everyone,
I'll try and explain as best as I can since this enviroment was deployed before I joined the company, but we are having an issue with IMAP SMTP and certificates.
Our internal domain is abc.com, however, our external domain is xyz.com. So, our Exchange servers internally are named exch1.abc.com while externally they are reached via exch1.xyz.com.
Now the problem I am running into is the self signed certificate that is automatically assigned to the SMTP service is issued to exch1.abc.com, which we do not have authority over as a domain (internal domain only). We also have a SAN certificate that has
the exch1.xyz.com listed but when clients connect ecternally via IMAP and try and send, they get a cert error because the self signed cert is listed as abc.com.
The SAN cert is assigned to all services, including SMTP, but the self signed default certification is only set to SMTP which is grayed out with the check box. How would I go about resolving this situation?
Thanks!
July 28th, 2011 1:11pm
Hi,
I can´t recall a check box for any certification setting. Can you pleases explain what you mean with
"but the self signed default certification is only set to SMTP which is grayed out with the check box"
Can you please run Get-exchangecertificate | fl and post the output?
:MartinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 1:30pm
Hi,
I can´t recall a check box for any certification setting. Can you pleases explain what you mean with
"but the self signed default certification is only set to SMTP which is grayed out with the check box"
Can you please run Get-exchangecertificate | fl and post the output?
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
What I mean by that is under "Server Configuration" --> EXCH1 (under the server name at the top of the page). Then on the bottom window the certificates appear for Exchange. The SAN certificate is listed as well as the "Microsoft Exchange" self signed cert.
When I click "Assign Services to Certificate" on the self signed cert the SMTP box is checked and grayed out.
Here is the output of Get-exchangecertificate | fl:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {exchange.securemissionsolutions.com,
www.exchange.securemissionsolutions.com, smschsexch1.securem
issionsolutions.com, smschsexch2.securemissionsolutions.com, securemissionsolutions.com, autodisco
ver.securemissionsolutions.com, imap.securemissionsolutions.com, mail.securemissionsolutions.com,
smschsexch3.securemissionsolutions.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 3/15/2016 11:18:47 AM
NotBefore : 3/15/2011 11:18:47 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 27A755F988426B
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=exchange.securemissionsolutions.com, OU=Domain Control Validated, O=exchange.securemissionsolut
ions.com
Thumbprint : 0C39B15E559A99D313A428A6734007D15B2EE000
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
essRule}
CertificateDomains : {smschsexch1, smschsexch1.sms.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=smschsexch1
NotAfter : 3/10/2016 5:07:44 PM
NotBefore : 3/10/2011 5:07:44 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1F12A05E567FD998455620F7F8FD117D
Services : SMTP
Status : Valid
Subject : CN=smschsexch1
Thumbprint : 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA
July 28th, 2011 1:37pm
Hi,
Thanks, I guess I spend to little time inte EMC :)
If you run:
Get-TransportServer | ft Name,InternalTransportCertificateThumbprint -auto
I belive that you will see the thumbprint of of your internal certificate.
If I am right, you might be able to change it by running:
set-transportserver -internalTransportCertificateThumbprint 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA
:MartinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 1:52pm
Hi,
Thanks, I guess I spend to little time inte EMC :)
If you run:
Get-TransportServer | ft Name,InternalTransportCertificateThumbprint -auto
I belive that you will see the thumbprint of of your internal certificate.
If I am right, you might be able to change it by running:
set-transportserver -internalTransportCertificateThumbprint 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
Here is the output file:
Name InternalTransportCertificateThumbprint
---- --------------------------------------
SMSCHSEXCH1 0C39B15E559A99D313A428A6734007D15B2EE000
SMSCHSEXCH2 0C39B15E559A99D313A428A6734007D15B2EE000
smschsextmg1 991DB6441F81467596D93A96A44991694916A0C8
smschsextmg2 87CD7903BA4D1311F19E255CDD9A73F660A33AB4
Now, I want the SAN certificate (with the domain that we have authority over) as the primary SMTP certificate, just so we're clear :).
July 28th, 2011 1:55pm
Aha, I made a copy/paste mistake :)
Hmm, I have some doubts about this.
You might get a lot of error in the Application Log if a certificate doesn´t include the name of the Exchange Server. But you can defninetly try and post back your result.
set-transportserver mschsextmg1 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000
set-transportserver mschsextmg2 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000
On every server, run
Enable-ExchangeCertificate -Thumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 -Services SMTP
If this doesn´t work, you can try and
1. Remove the self-signed certificate
2. Then run the above
:Martina
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 2:17pm
Aha, I made a copy/paste mistake :)
Hmm, I have some doubts about this.
You might get a lot of error in the Application Log if a certificate doesn´t include the name of the Exchange Server. But you can defninetly try and post back your result.
set-transportserver mschsextmg1 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000
set-transportserver mschsextmg2 -InternalTransportCertificateThumbprint 0C39B15E559A99D313A428A6734007D15B2EE000
On every server, run
Enable-ExchangeCertificate -Thumbprint 0C39B15E559A99D313A428A6734007D15B2EE000 -Services SMTP
If this doesn´t work, you can try and
1. Remove the self-signed certificate
2. Then run the above
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
I'm a little hesitent to try anythng if you have some doubts lol. I don't want there to be (and there cant be) any fallout or loss of service so I would rather not delete any certs without knowing for sure that it will work (I have heard in other posts
that those self signed auto generated certs are needed for certain inter-Exchange communications?)...
July 28th, 2011 3:40pm
Hi everyone,
I'll try and explain as best as I can since this enviroment was deployed before I joined the company, but we are having an issue with IMAP SMTP and certificates.
Our internal domain is abc.com, however, our external domain is xyz.com. So, our Exchange servers internally are named exch1.abc.com while externally they are reached via exch1.xyz.com.
Now the problem I am running into is the self signed certificate that is automatically assigned to the SMTP service is issued to exch1.abc.com, which we do not have authority over as a domain (internal domain only). We also have a SAN certificate that has
the exch1.xyz.com listed but when clients connect ecternally via IMAP and try and send, they get a cert error because the self signed cert is listed as abc.com.
The SAN cert is assigned to all services, including SMTP, but the self signed default certification is only set to SMTP which is grayed out with the check box. How would I go about resolving this situation?
Thanks!
You can create a new DNS zone for your external dns domain on your internal DNS server. Copy in the records like www and also add the records for your internal mail services. That way clients outside point to the outside IP and clients inside point
to the inside IP all without reconfiguration. This will also allow you to have a certificate with only the outside domain name.
Mike Crowley | MVP
My Blog --
Planet Technologies
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 7:03pm
Hi,
I can´t recall a check box for any certification setting. Can you pleases explain what you mean with
"but the self signed default certification is only set to SMTP which is grayed out with the check box"
Can you please run Get-exchangecertificate | fl and post the output?
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
What I mean by that is under "Server Configuration" --> EXCH1 (under the server name at the top of the page). Then on the bottom window the certificates appear for Exchange. The SAN certificate is listed as well as the "Microsoft Exchange" self signed cert.
When I click "Assign Services to Certificate" on the self signed cert the SMTP box is checked and grayed out.
Here is the output of Get-exchangecertificate | fl:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {exchange.xyz.com,
www.exchange.securemissionsolutions.com, smschsexch1.xyz
.com, smschsexch2.xyz.com, xyz.com, autodisco
ver.xyz.com, imap.xyz.com, mail.xyz.com,
smschsexch3.xyz.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 3/15/2016 11:18:47 AM
NotBefore : 3/15/2011 11:18:47 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 27A755F988426B
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=exchange.sxyz.com, OU=Domain Control Validated, O=exchange.xyz.com
Thumbprint : 0C39B15E559A99D313A428A6734007D15B2EE000
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
essRule}
CertificateDomains : {exch1, exch1.abc.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=exch1
NotAfter : 3/10/2016 5:07:44 PM
NotBefore : 3/10/2011 5:07:44 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1F12A05E567FD998455620F7F8FD117D
Services : SMTP
Status : Valid
Subject : CN=exch1
Thumbprint : 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA
July 28th, 2011 8:30pm
Hi,
I can´t recall a check box for any certification setting. Can you pleases explain what you mean with
"but the self signed default certification is only set to SMTP which is grayed out with the check box"
Can you please run Get-exchangecertificate | fl and post the output?
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
What I mean by that is under "Server Configuration" --> EXCH1 (under the server name at the top of the page). Then on the bottom window the certificates appear for Exchange. The SAN certificate is listed as well as the "Microsoft Exchange" self signed cert.
When I click "Assign Services to Certificate" on the self signed cert the SMTP box is checked and grayed out.
Here is the output of Get-exchangecertificate | fl:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {exchange.xyz.com,
www.exchange.xyzcom, smschsexch1.xyz
.com, smschsexch2.xyz.com, xyz.com, autodisco
ver.xyz.com, imap.xyz.com, mail.xyz.com,
smschsexch3.xyz.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 3/15/2016 11:18:47 AM
NotBefore : 3/15/2011 11:18:47 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 27A755F988426B
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=exchange.sxyz.com, OU=Domain Control Validated, O=exchange.xyz.com
Thumbprint : 0C39B15E559A99D313A428A6734007D15B2EE000
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
essRule}
CertificateDomains : {exch1, exch1.abc.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=exch1
NotAfter : 3/10/2016 5:07:44 PM
NotBefore : 3/10/2011 5:07:44 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1F12A05E567FD998455620F7F8FD117D
Services : SMTP
Status : Valid
Subject : CN=exch1
Thumbprint : 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 8:30pm
Hi,
Thanks, I guess I spend to little time inte EMC :)
If you run:
Get-TransportServer | ft Name,InternalTransportCertificateThumbprint -auto
I belive that you will see the thumbprint of of your internal certificate.
If I am right, you might be able to change it by running:
set-transportserver -internalTransportCertificateThumbprint 93C7FEBF1F4FC53D6F948EC40C4EB3624BD8B3EA
:Martina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
Here is the output file:
Name InternalTransportCertificateThumbprint
---- --------------------------------------
EXCH1 0C39B15E559A99D313A428A6734007D15B2EE000
EXCH2 0C39B15E559A99D313A428A6734007D15B2EE000
extmg1 991DB6441F81467596D93A96A44991694916A0C8
extmg2 87CD7903BA4D1311F19E255CDD9A73F660A33AB4
Now, I want the SAN certificate (with the domain that we have authority over) as the primary SMTP certificate, just so we're clear :).
July 28th, 2011 8:49pm