none
Certificate issue, TLS error, Self-signed Certificate

    Pertanyaan

  • I deleted the certificate that Exchange created during installation. Now I would like to set that one up, I want to add domains like autodiscover.domain.corp, FQDN1, FQDN2 and CNAME to establish TLS between Exch2003, Exch2010-1, Exch2010-2. The two Ex2010 servers are part of DAG.

    I am getting eventid 12014.

    Microsoft Exchange could not find a certificate that contains the domain name Exch2010-1.siteA.domain.corp in the personal store

    on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP

    Send Connector with a FQDN parameter of Exch2010-1.siteA.domain.corp. If the connector's FQDN is not specified, the computer's

    FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with

    a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the

    Microsoft Exchange Transport service has access to the certificate key.


    There is no cert with FQDN of hostnames on both Exch2010 servers. The SSL cert has following domains:

    mail.domain.corp
    mail.publicdomain.com
    imap.publicdomain.com

    Question 1: Can I add a self-signed certificate for intranet purposes so TLS can work?  I created a cert req from GUI and now not sure where to get it signed. We don't have CA installed on our site and don't want to. The IIS manager does not allow multiple domains to create a self-signed one, or may be I am not familiar with that. Can you point me in that direction?

    Question 2: Is having multiple certs a bad practice? I guess not, but still asking.

    Question 3: Someone also mentioned about modifying Default Receive connector, FQDN to the "mail.domain.corp"(unselect exchange auth)  and add another connector with FQDN of "hostname" and select only Exchange servers to use that authentication. Is that correct?



    21 Juni 2012 21:39

Jawaban

Semua Balasan

  • There is no need to go with a self signed cert. You can still use the new certs that you generated, just make sure that you assign the cert to the SMTP service using the enable-exchangecertificate cmdlet or the gui and then restart the transport service.

    The name in the default receive connector will impact TLS, but if you leave it black, it should revert to the servername that does match one of your certs... not even sure if Exchange checks the subject of the cert for internal relays... I suspect not.


    Casper Pieterse, Principle Consultant - UC, Dimension Data North America, Microsoft Certified Master: Exchange 2007 / 2010

    22 Juni 2012 5:32
  • The name in the default receive connector will impact TLS, but if you leave it black, it should revert to the servername that does match one of your certs...

    There is currently only one cert installed and it has all the services assigned to it. It DOESN'T have entry to match the servername. I think that is the problem.

    Since I deleted the cert it creeated at the time of install, now I don;t have a cert with servername. Also, I don't have CA services role install neither do I want to.

    What is an alternate way to self-sign a cert with SubAltNames?

    22 Juni 2012 17:06
  • The server name is not needed in the Cert. you need to change the URLS for the OAB, Autodiscover,EWS, to use the name on the cert. be sure you set the SCP internalautodiscoveruri as well. it can be validated by running get-clientaccesseserver |fl Server,*uri* then you can run set-cleintaccessserver to change it.

    Mitch Roberson MCM Exchange 2010|MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003

    22 Juni 2012 17:19
  • I believe he is asking about SMTP communication. In which you should be able to change the FQDN's that match a name on the certificate on your receive connectors to resolve the issue.

    Chris Morgan


    22 Juni 2012 19:29
  • Oops not sure how I missed that. Chris good catch. and Easy fix.

    Mitch Roberson MCM Exchange 2010|MCITP:Enterprise Server Admin, Messaging 2007, 2010 |MCTS:OCS with Voice Achievement |MCT |MCSE 2000\2003 |MCSE Messaging 2000\2003

    22 Juni 2012 19:38