Hello, I lately renew my Third party Exchange certificate. (Exch 2007) Here are the certificates I get on my HUBCAS: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {HUBCAS01, HUBCAS01.company.intra} HasPrivateKey : True IsSelfSigned : True Issuer : CN=HUBCAS01 NotAfter : 19/03/2011 09:52:14 NotBefore : 19/03/2010 09:52:14 PublicKeySize : 2048 RootCAType : None SerialNumber : xxxxx5982D8546218xxx Services : SMTP Status : Valid Subject : CN=HUBCAS01 Thumbprint : xxxB1EF3C888AA9137147BD59B410xxx AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.company.com, autodiscover.comp-any.com, autodiscover.company.com, mail.comp-any.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xxxx SSL CA, O="xxx, Inc.", C=xx NotAfter : 12/02/2012 07:23:16 NotBefore : 10/01/2011 02:04:46 PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : xxx Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=mail.company.com, O=xxx, L=xxx, S=xx, C=FR, SERIALNUMBER=p9ks8eNVgEZjPoYQS7eNVJxxxxx Thumbprint : xxxxx1839847C21343B70A7Dxxxxx My problem is that I remove the self sign certificate by mistake on the other Hubcas2 and I now get the below error message: Source : MSExchangeTransport Type: Error Category: TransportService Event ID: 12014 Computer : HUBCAS02 Microsoft Exchange couldn't find a certificate that contains the domain name HUBCAS02.company.intra in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of HUBCAS02.company.intra. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN. How could I solve the issue? Thanks, Graig

Did you enabled certificate after renew it using Enable-ExchangeCertificate -Thumbprint ?? http://support.microsoft.com/kb/555855 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12014&EvtSrc=MSExchangeTransport Anil

It looks to me that I have removed the default self sign certificate on the hubcas 2. I did enable the services: >Get-ExchangeCertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt oKeyAccessRule} CertificateDomains : {mail.company.com, autodiscover.comp-any.com, autodiscover.company.com, mail.comp-any.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=*** SSL **, O="***, Inc.", C=US NotAfter : 12/02/2012 07:23:16 NotBefore : 10/01/2011 02:04:46 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 5517 Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=mail.company.com, O=***, L=***, S=***, C=FR, SERIALNUMBER=p*****CFR6I4d Thumbprint : ****847C21343B70A7D***** --> I can tell that third-party certificate has been installed on the server and DOES NOT contains a matching FQDN !! I was about to run that command to create a certifiacte matching with the FQDN : New-ExchangeCertificate -GenerateRequest -Path C:\Certificates\mail_company-SELSIGN_com.csr -KeySize 2048 -SubjectName "CN=HUBCAS02" -DomainName HUBCAS02, HUBCAS02.company.intra -PrivateKeyExportable $False Am I correct? sorry I have never done it before and I'm a bit confused. If I am correct, should I enable that certificate and its services?? Enable-ExchangeCertificate -Thumbprint ?????? -Services "IMAP, POP, IIS, SMTP" Thanks again

Sorry me again... >Get-ReceiveConnector | FL name, fqdn, objectClass Name : Default HUBCAS02 Fqdn : HUBCAS02.company.intra ObjectClass : {top, msExchSmtpReceiveConnector} Name : Client HUBCAS02 Fqdn : HUBCAS02.company.intra ObjectClass : {top, msExchSmtpReceiveConnector} So as my third party certificates looks that way: >Get-ExchangeCertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt oKeyAccessRule} CertificateDomains : {mail.company.com, autodiscover.comp-any.com, autodiscover.company.com, mail.comp-any.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=GeoTrust SSL **, O="GeoTrust, Inc.", C=US NotAfter : 12/02/2012 07:23:16 NotBefore : 10/01/2011 02:04:46 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 5517 Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=mail.company.com, O=****, L=****, S=***, C=**, SERIALNUMBER=****NVgEZjPoYQS7eNVJ****** Thumbprint : *******C21343B70A7DB68E****** Shall I simply change my ReceiveConnector ? And they would look like: Name : Default HUBCAS02 Fqdn : mail.company.com ObjectClass : {top, msExchSmtpReceiveConnector} Name : Client HUBCAS02 Fqdn : mail.company.com ObjectClass : {top, msExchSmtpReceiveConnector} I would really appreciate if you could help me to figure that out. Many tahnks in advance. Graig

Yes, you can enable it !Anil

Okay so I create the certificate like: New-ExchangeCertificate -GenerateRequest -Path C:\Certificates\mail_company-SELSIGN_com.csr -KeySize 2048 -SubjectName "CN=HUBCAS02" -DomainName HUBCAS02, HUBCAS02.company.intra -PrivateKeyExportable $False And then only enable the services? no need to import anything. AM I correct? Graig

Hi Graiggoriz Sure, then you could enable the CERT for the service, no need import anything. Some information for you: http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx Regards! GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Gavin, Thank you for having confirming my doubt. I really do not find (evne in your link) a scenario where you have delete your Self sign certificate and you have to recreate it from scratch! In fact, you would find any information and command to renew and activate services but not to create a self sign certificate. Thanks again for the input. Graig

Hi Graiggoriz, Per my known, When you run the New-ExchangeCertificate cmdlet without arguments, a self-signed certificate for SMTP SSL/TLS is generated. The certificate has the local computer FQDN as the Subject Name. Please refer to below: http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx Regards! GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I created the Certificate: New-ExchangeCertificate -GenerateRequest -Path C:\Certificates\mail_company-SELSIGN_com.csr -KeySize 2048 -SubjectName "CN=HUBCAS02" -DomainName HUBCAS02, HUBCAS02.company.intra -PrivateKeyExportable $False but cannot enable the SMTP service. I can't figure out why.. : [PS] C:\>Enable-ExchangeCertificate -Thumbprint 4xxxx3EBA8h46Fxxxx72BF3xxx24 -Services "SMTP" Enable-ExchangeCertificate : The certificate with Thumbprint 4xxxx3EBA8h46Fxxxx72BF3xxx24 is not found. At line:1 char:27 + Enable-ExchangeCertificate <<<< -Thumbprint 4xxxx3EBA8h46Fxxxx72BF3xxx24 -Services "SMTP" Can you help on that?

On Wed, 26 Jan 2011 12:02:50 +0000, Graiggoriz wrote: > > >I created the Certificate: > >New-ExchangeCertificate -GenerateRequest -Path C:\Certificates\mail_company-SELSIGN_com.csr -KeySize 2048 -SubjectName "CN=HUBCAS02" -DomainName HUBCAS02, HUBCAS02.company.intra -PrivateKeyExportable $False > >but cannot enable the SMTP service. I can't figure out why.. : > >[PS] C:\>Enable-ExchangeCertificate -Thumbprint 4xxxx3EBA8h46Fxxxx72BF3xxx24 -Services "SMTP" > >Enable-ExchangeCertificate : The certificate with Thumbprint 4xxxx3EBA8h46Fxxxx72BF3xxx24 is not found. At line:1 char:27 + Enable-ExchangeCertificate <<<< -Thumbprint 4xxxx3EBA8h46Fxxxx72BF3xxx24 -Services "SMTP" > >Can you help on that? Why do you not ask for an exportable private key? Did you import the certificate? Do you have the certficate installed in the correct certificate store? Are you sure the thumbprint value is correct? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I tried with and without the exportable private key. I don't need to export the cert. I am sure about the thumbprint. I did remove that cert and ran New-ExchangeCertificate it asks me to replace my current third certificate and as I wasn't sure at all about the side effect, I did CTRL + C. When I did my get-exchangecertificate it has created my self sign certificate and enable services (SMTP and 2 others) My event ID disappeared but I need to remove the 2 extra services on that certificate and would like to understand what happened :-(

rOn Fri, 28 Jan 2011 15:51:21 +0000, Graiggoriz wrote: > > >I tried with and without the exportable private key. > >I don't need to export the cert. > >I am sure about the thumbprint. > >I did remove that cert and ran New-ExchangeCertificate it asks me to replace my current third certificate and as I wasn't sure at all about the side effect, I did CTRL + C. > >When I did my get-exchangecertificate it has created my self sign certificate and enable services (SMTP and 2 others) My event ID disappeared but I need to remove the 2 extra services on that certificate and would like to understand what happened :-( You can't remove services from a certificate, you can only add them. If this is a self-signed (i.e. not a PKI or 3rd-party) cert, you can remove the certificate and generate a new one. Then enable the cert with the service(s) you want. If it's an internal PKI cert, get a new CSR and request a new cert. Import it and remove the old one. Then enable te new cert wit the services you want. If it's a 3r-party cert, export it (here's where you want to have an exportable private key!) with the private key. Remove the cert from the store. Import the cert you exported and enable it wit the service(s) you eant. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP