I'm receiving the error message listed at the bottom of this postin the Event logs and at this time I am not able to get a renew the certificate. To renew the certificate, I completed the following steps. 1. executed get-ExchangeCertificate | fl * to determine the thumbprint for the certificate 2. get-ExhcangeCertificate -thumbprint <thumbprint> | new-exchangecertificate and received the following New-ExchangeCertificate : Access is denied.At line:1 char:103+ Get-ExchangeCertificate -thumbprint "4FDBE52741B4D49167710140305AA90C7E00DF06" |new-exchangecertificate <<<<[PS] F:\> I am a member of the Domain Admins, Enterprise Admin, Exchange Organizational Administrators, and the Exchange Recipient Administrators. I have also checked the security for C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA folder. Any suggestions what I should do next? Event Type:ErrorEvent Source:MSExchangeTransportEvent Category:TransportService Event ID:12014Date:3/5/2008Time:1:10:36 PMUser:N/AComputer:SERVERNAMEDescription:Microsoft Exchange couldn't find a certificate that contains the domain name mail.mydomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVERNAME with a FQDN parameter of mail.mydomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

The following messages are displayed in the PowerShell event log when I attempt to create the new certificate Event Type:InformationEvent Source:PowerShellEvent Category:(4)Event ID:400Date:9/4/2008Time:5:16:52 AMUser:N/AComputer:ADPROSVR03Description:The description for Event ID ( 400 ) in Source ( PowerShell ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Available, None, NewEngineState=AvailablePreviousEngineState=None SequenceNumber=8 HostName=ConsoleHostHostVersion=1.0.0.0HostId=61b30cb8-8223-4cac-bf2c-5f98bcad0877EngineVersion=1.0.0.0RunspaceId=520816f0-d3f0-4876-b9ca-1fba7c11135dPipelineId=CommandName=CommandType=ScriptName=CommandPath=CommandLine=. Event Type:InformationEvent Source:PowerShellEvent Category:(6)Event ID:600Date:9/4/2008Time:5:16:52 AMUser:N/AComputer:ADPROSVR03Description:The description for Event ID ( 600 ) in Source ( PowerShell ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Registry, Started, ProviderName=RegistryNewProviderState=Started SequenceNumber=5 HostName=ConsoleHostHostVersion=1.0.0.0HostId=61b30cb8-8223-4cac-bf2c-5f98bcad0877EngineVersion=RunspaceId=PipelineId=CommandName=CommandType=ScriptName=CommandPath=CommandLine=.

Sounds like a file system problem if you are already a member of domain admins and exchange admins. On the "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA folder" folder go ahead and right click, properties,security. Now for the exchange administrators I'm sure you already will see full permissions, but go ahead and click advanced, under permissions for the administrators first make sure it says "'this folder, subfolders and files" and not "'this folder only" and finally go ahead and check the box at the bottom that says replace permissions on all child objects just to make sure the sub folders are currently set properly. Oh and a final thought if that isn't the issue for some reason, make sure domain admins group is infact in the administrators group on your exchange server. Right click "my computer" and choose manage > local users and groups > groups > administrators > (domain admin's group is listed here right?)

Dear customer: To proper assist you to troubleshoot the issue, please help to collect the following information: 1. Which command do you run when you create new certificate? Post the complete command that you have run into the forum for analyze. 2. Did you run above command on your Exchange Server 2007? 3. On the Exchange Server 2007, open EMS, run the following command and post the result into the forum, Get-exchangecertificate | fl * 4. On the Exchange Server 2007, click start and select run, input mmc, click Ok, click add/remove snap-in, click add, select certificates, select computer account, click next, and then select local computer, click finish, 5. Expand certificates (local computer), navigate to personal-certificates, select a certificate and double click it, click details tab, scroll down and select thumbprint, compare it to 4FDBE52741B4D49167710140305AA90C7E00DF06, and check whether they are the same. 6. Repeat step 5 for each certificate and until you find a certificate whose thumbprint is 4FDBE52741B4D49167710140305AA90C7E00DF06. If you didnt found the certificate in certificates store under personal, it seems that the certificate is deleted for fault. Thus we can only run new-exchangecertificate to create a new certificate. For more information about how to run new-exchangecertificate, please refer to the following articles: New-ExchangeCertificate http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx Hope it helps. If anything is unclear, please feel free to let me know. Rock Wang - MSFT

I did follow step 1-6 and did find the thumbprint indicated. I then ran [PS] F:\>get-exchangecertificate -thumbprint 4FDBE52741B4D49167710140305AA90C7E00DF06 | New-ExchangeCertificate this generate the new certificate. Thumbprint Services Subject---------- -------- -------CD561A8ED9927DAD45253187820BBB493E2AC1D3 ..... CN=ADPROSVR03 removed the old certificate and do not see the error referencing the expired certificate any more.