none
Proper way to import self-signed TLS certificate for remote SmartHost?

    Question

  • Hi all,

    I've been banging my head against this for a while with no success. I'm trying to set up an Exchange 2010 server to use a SmartHost with a self-signed certificate for testing. Everything functions fine until I enable TLS for the Send Connector/SmartHost.

    With TLS enabled, I get this in the Queue Viewer:

    [451 4.4.0 Primary target IP address responded with: "454 4.7.5 Certificate validation failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.]

    I have two certs from the SmartHost, CA.crt and signed.crt. I have tried every combination of importing these certs using the below methods with no success:

    • Installing the certs to the Trusted Root store by double clicking them and installing them
    • Installing the certs to the Trusted Root store through the MMC Certificate snap-in set to "Computer Account"
    • Installing the certs to the Personal store through the MMC Certificate snap-in set to "Computer Account"

    What is the proper way to import these certs so they will be seen as viable for use in the SmartHost? Is there somewhere else I should look for more specific log errors? (I'm fairly new to Exchange, been in a unix environment for a long time)

     

    Thanks,

    Ben

    Wednesday, January 11, 2012 8:49 PM

Answers

  • Thanks!

    As I stated though, I'm somewhat new to Exchange so please bear with me. I'm using different self-signed certs on both the Exchange server and the SmartHost. Are you saying I need to install the Exchange servers cert onto the SmartHost?

    Then, in your transportconfig statement, which machine is the remotedomain? (you've got it listed twice) Is one supposed to be the Exchange server and one the SmartHost?

    Thanks,

    Ben


    Hi,

    If your smarthost is not in your domain, then we need to install the exchange self-signed certificate to your smarthost, I think.

    Remote could be your smarthost.


    Xiu Zhang

    TechNet Community Support

    Monday, January 16, 2012 3:20 AM

All replies

  • Hi,

    If you are using the self-signed certificate, then you can try to install the certificate on the smarthost.

    After that, please run the command below:

    Set-TransportConfig -TLSReceiveDomainSecureList <remotedomain>.com, <remotedomain>.net


    Xiu Zhang

    TechNet Community Support

    Friday, January 13, 2012 8:21 AM
  • Thanks!

    As I stated though, I'm somewhat new to Exchange so please bear with me. I'm using different self-signed certs on both the Exchange server and the SmartHost. Are you saying I need to install the Exchange servers cert onto the SmartHost?

    Then, in your transportconfig statement, which machine is the remotedomain? (you've got it listed twice) Is one supposed to be the Exchange server and one the SmartHost?

    Thanks,

    Ben

    Friday, January 13, 2012 1:56 PM
  • Thanks!

    As I stated though, I'm somewhat new to Exchange so please bear with me. I'm using different self-signed certs on both the Exchange server and the SmartHost. Are you saying I need to install the Exchange servers cert onto the SmartHost?

    Then, in your transportconfig statement, which machine is the remotedomain? (you've got it listed twice) Is one supposed to be the Exchange server and one the SmartHost?

    Thanks,

    Ben


    Hi,

    If your smarthost is not in your domain, then we need to install the exchange self-signed certificate to your smarthost, I think.

    Remote could be your smarthost.


    Xiu Zhang

    TechNet Community Support

    Monday, January 16, 2012 3:20 AM