locked
Exchange 2013 SSL Certs RRS feed

  • Question

  • My exchange Servers have lost all SSL Certs, We are in testing so we are just using self signed certs, My first exchange server is giving me error on the WEB Management Service and wont allow it to start, the error i find is

    Microsoft Exchange could not load the certificate with thumbprint of E53D989B8A448375E903A0AB7CCC823A42B0F076 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate E53D989B8A448375E903A0AB7CCC823A42B0F076 -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint 0186F48794A78EA5E7CE3F9351B3E394D1AF63A7 is being used. I have recreated self signed certs in the EAC with the server FQDN as well as the externam FQDN, but this did not solve my issue, I am very new to exchange and am learing as i go so any help with this issue would be much appriciated.

    Thanks


    Devin Berard I.T Support Renfrew Victoria Hospital, Renfrew ON berardd@renfrewhosp.com

    Wednesday, August 6, 2014 12:17 PM

Answers

  • When you say "my first Exchange 2013 server",  I assume that you have a single CAS+MBX Exchange 2013 server.

    Could you open IIS Manager and confirm that you have a certificate assigned to the Default Web Site - HTTPS Binding/Port 443, and Exchange Back End web site - HTTPS binding/Port 444. You might find helpful the following video:


    Then, make sure that the Exchange 2013 self-signed cert is assigned to the SMTP, IIS, POP, and IMAP services. You can perform this in EAC - edit the cert properties, or in EMS - with the Enable-Exchangecertificate commandlet.

                                                                      

    Step by Step Screencasts and Video Tutorial

    Wednesday, August 6, 2014 1:00 PM
  • In this case you need to do the following:

    1. Open IIS Manager

    2. Choose the server name in the navigation pane, then scroll down and under "Management" double-click Web Management Service

    3. Use the browse button and assign the certificate that you've generated. Then start the service:

    Assigne certificate to IIS Web Management Service

                                                                      

    Step by Step Screencasts and Video Tutorial

    • Marked as answer by Berardd Wednesday, August 6, 2014 2:50 PM
    Wednesday, August 6, 2014 2:20 PM

All replies

  • Hi Devin

    You can try the following

    • Go the the exchange management console and see what roles are assigned to the Certificate.
    • Check if bindings in IIS have been removed binding it to this certificate.

    hope this helps

    Wednesday, August 6, 2014 12:23 PM
  • yes this cert is binded to IIS, SMTP, POP and IMAP

    Devin Berard I.T Support Renfrew Victoria Hospital, Renfrew ON berardd@renfrewhosp.com

    Wednesday, August 6, 2014 12:53 PM
  • When you say "my first Exchange 2013 server",  I assume that you have a single CAS+MBX Exchange 2013 server.

    Could you open IIS Manager and confirm that you have a certificate assigned to the Default Web Site - HTTPS Binding/Port 443, and Exchange Back End web site - HTTPS binding/Port 444. You might find helpful the following video:


    Then, make sure that the Exchange 2013 self-signed cert is assigned to the SMTP, IIS, POP, and IMAP services. You can perform this in EAC - edit the cert properties, or in EMS - with the Enable-Exchangecertificate commandlet.

                                                                      

    Step by Step Screencasts and Video Tutorial

    Wednesday, August 6, 2014 1:00 PM
  • Thanks that fixed another issue i was having with the Exchange Shell but i still cant get that service to start I am also now seeing this error.

    The description for Event ID 1007 from source Microsoft-Windows-IIS-IISManager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE

    Unable to read the certificate with thumbprint '3ca15060c0e0cb6a8a3e8db24b0168dd2882e122'.  Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.

    Process:WMSvc

    User=NT AUTHORITY\LOCAL SERVICE

    the message resource is present but the message is not found in the string/message table



    Devin Berard I.T Support Renfrew Victoria Hospital, Renfrew ON berardd@renfrewhosp.com

    Wednesday, August 6, 2014 1:47 PM
  • In this case you need to do the following:

    1. Open IIS Manager

    2. Choose the server name in the navigation pane, then scroll down and under "Management" double-click Web Management Service

    3. Use the browse button and assign the certificate that you've generated. Then start the service:

    Assigne certificate to IIS Web Management Service

                                                                      

    Step by Step Screencasts and Video Tutorial

    • Marked as answer by Berardd Wednesday, August 6, 2014 2:50 PM
    Wednesday, August 6, 2014 2:20 PM
  • Thank you very much, This is all new to me and can get confusing when youve never seen the issue befor.


    Devin Berard I.T Support Renfrew Victoria Hospital, Renfrew ON berardd@renfrewhosp.com

    Wednesday, August 6, 2014 2:51 PM
  • This was a great help, when changing over our SSL cert, we had removed the old and forgotten to apply it to the Exchange Back End as well. Applying it fixed it immediately.
    Wednesday, January 7, 2015 1:54 PM
  • thank you it's work for me
    Sunday, December 27, 2015 8:43 AM
  • Recently I have updated Exchange certificate on single CAS/MBX Exchange Server 2013 running Enable-ExchangeCertificate.

    Remote Powershell was broken. For the first time it did not work with 400 error. I ran

    "winrm quickconfig" (https://support.microsoft.com/en-us/kb/2027064)

    but it had not helped. The error sipmly changed to [FailureCategory=Cafe-SendFailure].

    The problem was that certificate had not bound to "Exchange back End" site. I have bound it manually and it worked like a charm.

    Thanks for the solution!


    MCTS

    Thursday, December 31, 2015 11:19 AM
  • Many thanks for this - this has just fixed my issue.

    I uninstalled some filtering software from my companys exchange server that I thought had caused this issue, but after a server restart the problem started.

    I removed the original self signed certificate yesterday - obviously after a restart the problem has shown.

    Monday, April 25, 2016 9:43 PM
  • This saved my bacon. Thank you.
    Thursday, July 21, 2016 10:40 PM