Exchange 2007 SP2. If I execute this command: get-exchangeCertificate | fl I can see that certificate has 2 domains: <pcname, pcname.mydomain.local> This causes 12014 eventid in my event viewer: Microsoft Exchange couldn't find a certificate that contains the domain name <external_smtp_domain> in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default <PCNAME> with a FQDN parameter of <external_smtp_domain>. .... Reading on the web, it actually seems related to domains name included in the above certificate. So, my question is: how can I add domains into current certificate ? And if I have to create a new one, which is the exact syntax to specify domains name in New-ExchangeCertificate cmdlet ? Thanks for help.

As my understanding, the issue occurs the external domain name isn’t added to current certificate properly, right? Event 12014 is a Warning event that indicates that a problem occurred while loading a certificate to be used for STARTTLS. How to Troubleshoot STARTTLS Certificate Error 12014,please refer to below link: http://technet.microsoft.com/en-us/bb510128(EXCHG.80).aspx If you have to create a new Exchange Certificate, please check the below link: http://technet.microsoft.com/en-us/aa998327(EXCHG.80).aspx The more information I find out in internet as below, you may try. New-ExchangeCertificate–GenerateRequest-DomainNamemail.contoso.com,autodiscover.contoso.com,server01.contoso.local,server01 -FriendlyNamecontosoinc-KeySize1024-PrivateKeyExportable:$True–SubjectName"c=USo=contosoinc,CN=server01.contoso.com"-Pathc:\certrequest.txt

Yes you need to create a new certificate request with the below syntaxNew-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$trueWith the request file you need to genearte a certificate from the cert server and than import into exchange.Mahendra

You can't add domain into current cert. You have to create a new CSR and get your CA to certify your public key.

Mahendra, I usually renew the cert using the powershell syntax:1) get thumbprint current cert: Get-ExchangeCertificate -domain "my.domain.local" | fl2) renew cert: Get-ExchangeCertificate -thumbprint "<expired_thumbprint>" | New-ExchangeCertificate3) Drop old cert: Remove-ExchangeCertificate -thumbprint "<expired_thumbprint>"4) Enable in IIS: Enable-ExchangeCertificate –Thumbprint <new_thumbprint> -Services IISUsing this way, I don't send to any CA the request, but all is done internally in Exchange. Using this scheme ... can I add domain informations ?thanks for help. Yes you need to create a new certificate request with the below syntaxNew-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$trueWith the request file you need to genearte a certificate from the cert server and than import into exchange.Mahendra

Hi,The method you follow generates a Self Signed certificate. You cannot modify the self signed certificate to add domains in it.For adding mulitple domain to a cert you need to generate a cert request as given above and create a SAN certificate which can be done through a cert server.PLease check the below link for details of creating a SAN certifcate and importing the same in Exchange.http://blog.meigh.eu/2010/01/27/creating-a-new-ssl-certificate-in-exchange-2007-cas.aspx?ref=rssMahendra

Thanks. Unfortunately the pictures in the given link are not ordere ... so I'll give it reorder saving the HTML source.BTW, I am always scared about what can be wrong doing this work and if is it possible to break some important functionality.Thanks for your help.

Nothing can go wrong if you follow the steps given in the article.Also it will not break any functionality as you can always revert back if there is any problem in the generated certificate.We have tested and implemented this in our environmentCheck if you see the images in the below linkhttp://blogs.microsoft.co.il/blogs/dand/archive/2009/06/22/creating-a-new-ssl-certificate-in-exchange-2007-cas.aspxMahendra