Exchange 2007 certificates driving me nuts !!
I am running Exchange 2007 SP1 in an Active Directory environment. We have a HubTransport server (internal) and an EdgeTransport server (external). I had to purchase a 3rd party cert to get some of our handheld devices to work. This was done and all is ok ... for now. I recently;y received an error message on the EdgeTransport server saying "An internal transport certificate will expire soon. Thumbprint:D4C4146E202AA988562B1CB2C9D1379B7F19C4AB, hours remaining: 716" I ran the New-ExchangeCertificate command and then re-subscribed the EdgeTransport Mail flow is working fine but the Hub Transport server is seeing the following errors now "The connection to the ADAM instance of the Edge Transport server failed with exception "The LDAP server is unavailable.". This could be caused by a failure to resolve the Edge Transport server name n1-i-mailfe-01.company.com in DNS, a failure when trying to connect to port 50636 on Edge Transport server n1-i-mailfe-01.company.com, network connectivity issues, an invalid certificate, or an expired subscription. Verify the configurations of your network and server." I am also getting the error " Microsoft Exchange couldn't match certificate when contacting n1-i-mailfe-01.company.com. The connection was stopped." I have verified the HubTransport can resolve the fqdn and that port 50636 is available. My question is ............. Since I renewed the Exchange certificate on the EdgeTransport do I somehow have to put it on the HubTransport server, i.e. do they have to match ? The get-exchangecertificate |fl command returns the following: HubTransport ========== AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessCon trol.CryptoKeyAccessRule} CertificateDomains : {exmail.company.com, www.exmail.company.com, n1-i-mailbe-01.company.com, mail.company.com, n1-i-mailbe-0 1.company.net} HasPrivateKey : True IsSelfSigned : False Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com , Inc.", L=Scottsdale, S=Arizona, C=US NotAfter : 7/30/2010 5:07:44 PM NotBefore : 7/31/2009 2:20:20 PM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 047C36E6E70FB2 Services : IIS, SMTP Status : Valid Subject : CN=exmail.company.com, OU=Domain Control Validated, O=exmail.company.com Thumbprint : 72FD7961C92190A75F769F7596C7629AF506E857 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessCon trol.CryptoKeyAccessRule} CertificateDomains : {n1-i-mailbe-01, n1-i-mailbe-01.company.net} HasPrivateKey : True IsSelfSigned : True Issuer : CN=n1-i-mailbe-01 NotAfter : 1/26/2010 3:03:15 PM NotBefore : 1/26/2009 3:03:15 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : E74F08E9BB0AEDB648AB5B665189763B Services : IMAP, POP, SMTP Status : Valid Subject : CN=n1-i-mailbe-01 Thumbprint : 57ADFE96919353F3EEFB1E36DD3C0C5B2B4E71A4 EdgeTransport =========== AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {n1-i-mailfe-01, n1-i-mailfe-01.company.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=n1-i-mailfe-01 NotAfter : 1/20/2011 11:22:42 AM NotBefore : 1/20/2010 11:22:42 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 8B120AFCE167219649B7681350C4C4DA Services : SMTP Status : Valid Subject : CN=n1-i-mailfe-01 Thumbprint : 68BC1424D398DA369BFED5B4722A369CC1A96151 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {n1-i-mailfe-01, n1-i-mailfe-01.company.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=n1-i-mailfe-01 NotAfter : 2/19/2010 11:37:32 AM NotBefore : 2/19/2009 11:37:32 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 89869B0565688F984D0BA24E02B06CB8 Services : SMTP Status : Valid Subject : CN=n1-i-mailfe-01 Thumbprint : D4C4146E202AA988562B1CB2C9D1379B7F19C4AB
January 20th, 2010 10:25pm

Hi,Have you done this already?http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspxThe above link is a procedure on configuring Exchange Server Certificates, it's agood start to find the missing link of your problem. I guess you don't need to buy a third party certificate for your handheld devices if you have read that, unless it's a business standard of your company.Regards,LRMCP
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2010 11:30am

What results return Start-EdgeSync and Test-EdgeSync cdmlets?http://okrylov.wordpress.com
January 22nd, 2010 12:50pm

Edgesync seems to be working again now even though I didn't do anything :-o The issue at hand is that the EdgeTransport server has the self signed SMTP certificate due to expire on 19th February 2010. To resolve this I used the New-ExchangeCertificate command. As you can see we now have two valid SMTP certs on the server. Do I now just have to redo the Edgesubscription and all will be fine ? Which of the SMTP certs will be used during the edgesync process ? When the one on 26th expires do I need to do anything or because I also have another valid one I should be ok ? Aside from the issue above I have a self signed cert on the Hub Transport that is due to expire on 26th January 2010 (IMAP, POP, SMTP) We have a 3rd party cert that expires on 30th July 2010 (IIS, SMTP) because some of our users have Palm Pre and they don't like self signed certs The HubTransport is not flagging the expiration of the 26th January cert. Is that because it can use the 3rd party one ? Running the command: Get-TransportServer <Server Name> | Format-List Name,InternalTransportCertificateThumbprint HubTransport server is using the 3rd party cert due to expire 30th July 2010 EdgeTransport server is using the self signed cert due to expire on 19th February 2010 Apologies for all the questions but I just need to understand if my Exchange setup will break because of the certs I am using ..... Thanks for all the help.
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2010 8:50pm

Hi,I have to clarify something and answer it as far as I know,see the text in bold:The issue at hand is that the EdgeTransport server has the self signed SMTP certificate due to expire on 19th February 2010.To resolve this I used the New-ExchangeCertificate command. As you can see we now have two valid SMTP certs on the server.= Did you run this command "import-exchangecertificate -path c:\yourcertificate.file | enable-exchangecertificate -services iis,smtp,imap,pop,um after your certificate request? You have to run this command to avoid conflicts of issued certificates.Do I now just have to redo the Edgesubscription and all will be fine ?= You can renew the edgesubscription after enabling/importing the new certificates for edge and hub transport. If it'll works then the issue is related to synchronization and certificate mismatch.Which of the SMTP certs will be used during the edgesync process ?= When you run the import/enable the command with the -services parameter of IIS,SMTP etc, the new issued certificate for IIS,SMTP will be used. If you will not specify the -services parameter, the IIS,SMTP will use the old certificate which will cause you a problem.When the one on 26th expires do I need to do anything or because I also have another valid one I should be ok ?= You can enable the valid certificate, just make sure that the -services parameter is included or create a new certificate requestAside from the issue above I have a self signed cert on the Hub Transport that is due to expire on 26th January 2010 (IMAP, POP, SMTP)= This will not be an issue as long as you have a new certificate, import/enable it together with the right -services parameterWe have a 3rd party cert that expires on 30th July 2010 (IIS, SMTP) because some of our users have Palm Pre and they don't like self signed certs= This will not be an issue as long as you have a new certificate, import/enable it together with the right -services parameterThe HubTransport is not flagging the expiration of the 26th January cert. Is that because it can use the 3rd party one ?=Is the Hub Transport is currently using the certificate that will expire on january 26th? Please verify, it'll flag if it will reach the expiration date.Note:One worst issue that you will experience is that you might be able to have a sending issues for your mobile devices if youre certificates is not properly configured and issued.Heres a quick referrence on using certificate for exchange 2007http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.htmlregards,LRMCP
January 25th, 2010 9:56am

Many thanks for the detailed instructions. I think I know what to do now but just to be sure I'd like to run this by you ..... On the EdgeTransport serve I currently have two SMTP self signed certs. One due to expire on 19th February 2010 and the other to expire on 20th January 2011 I want to create a new edgesubscription file that will use the 20th January 2011 cert to establish a secure connection between my HubTransport and EdgeTransport I will run 'Enable-ExchangeCertificate -Services SMTP -thumbprint <thumbprint of 20th January 2011 cert> ' to make sure that is the one that will be used I will then run 'New-EdgeSubscription -FileName 'C:\Temp\EdgeSubscriptionInfo.xml ' On the HubTransport I will run 'import-exchangecertificate -path C:\Temp\EdgeSubscriptionInfo.xml | enable-exchangecertificate -services SMTP ' To verify all is working I will use the 'Test-EdgeSynchronization' and 'Start-Edgesynchronization' commands The only outstanding questions I have are: [1] We have a 3rd party cert on the HubTransport enabled for SMTP and IIS services. This cert is due to expire30th July 2011 We also have a self signed cert on the Hub Transport enabled for IMAP, POP, SMTP (this was part of the initial installation) due to expire 26th January 2010 when we bought the 3rd party cert in July 2010 I used the Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services "SMTP, IIS" command Am I correct in saying that the 3rd party cert is used for IIS access and the self signed one for SMTP between the HubTransport and the EdgeTransport, or is the 3rd party one being used both for IIS and SMTP ? There are no warnings about a certificate due to expire soon so I guess the 3rd party one is being used for SMTP and IIS ? Running the Get-TransportServer <HubTransport server> | Format-List Name,InternalTransportCertificateThumbprint gives me the 3rd party cert [2] Certificates are used to encrypt traffic between the EdgeTransport and the HubTransport server. Do they each use a different certificate or should I see the same cert on the EdgeTransport and the HubTransport ? [3] When running the 'New-EdgeSubscription' command on the EdgeTransport server is the SMTP cert on the server referenced in any way or is that a completely different matter ? (i.e. the edgesync process relies on having valid cert on the server but does not reference it in any way). The reason for asking is that we have two SMTP certs on the EdgeTransport and if the New-EdgeSubscription somehow references a cert then I want to be sure that the new on is used, not the one due to expire soon. Many thanks for your patience !
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2010 9:38pm

Sorry to double post but I have been thinking a bit more on this and it seems like I'm over complicating things. The issue at hand is that a certificate used for internal trust on our EdgeTransport server is due to expire. Looking on Technet (http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12017&EvtSrc=MSExchangeTransport&LCID=1033 ) the instructions given are to: - Generate a new cert on the EdgeTransport using 'New-ExchangeCertificate ' - Resubscribe the the EdgeTransport server Is it as simple as that or do I need to use the 'Enable-ExchangeCertificate' command at any stage ?
January 25th, 2010 9:53pm

Hi,Your Hub Transport and Edge Transport Server are currently using the self-signed certificate which will expire soon (Correct me if i'm wrong). That event ID was explained here (http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12017&EvtSrc=MSExchangeTransport&LCID=1033 ).The New-ExchangeCertificate cmdlet will create a self-signed certificate, renew an existing self-signed certificate, or generate a new certificate request for obtaining a certificate from a certification authority (CA). Since you have a third party CA, create a new request for Edge,Hub Transport and Client Access Server (Please verify your CAS). Enable/Import this certificate with necessary -services parameter that your exchange server (Example: Edge parameter is -services SMTP, CAS is -services IIS,IMAP,POP) is using. On the Edge Transport Server, create and export the new Edge Subscription, see this link as your guide http://technet.microsoft.com/en-us/library/aa997438.aspx and http://technet.microsoft.com/en-us/library/aa997590.aspx. On the Hub Transport Server copy the edge subscription file, see this link as your guide http://technet.microsoft.com/en-us/library/aa995991.aspx . Then test the subscription by using Test-EdgeSynchronization cmdlets.Note: Do this only on the off-operations hours.regards,LRMCP
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2010 5:53am

Only the EdgeTransport server is complaining about a certificate expiring soon. The HubTransport server is using a 3rd party cert for SMTP and IIS that won't expire until 30th July 2010 So I guess all I have to do is generate the new self signed cert on the EdgeTransport server and then resubscribe the HubTransport server ? Do I need to run the Enable-ExchangeCertificate -Thumbprint <new thumbprint> -Services SMTP command on the EdgeTransport sever before I resubscribe the HubTransport ? Thanks !
January 28th, 2010 12:20am

Hi,Yes you have to run import-exchangecertificate -path c:\yourcertificate.file | enable-exchangecertificate -services SMTPLet me know the progress.Thanks.LRMCP
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2010 12:10pm

Apologies for sounding really stupid here but after I have generated the new certificate on the EdgeTransport server I then enable it on the EdgeTransport server. Do I then need to copy it to my HubTransport server and import and enable it also ? I'm not sure why I would need to run the import command on the same server I have just generated the cert on. Isn't that used if I am copying the cert to another server ? As far as I know I just create the cert on the EdgeTransport and enable it on the EdgeTransport and then just go through a regular re-subcription process for the HubTransport (generate the new subscription file, copy to HubTransport and then run the new-EdgeSubscription cmd) Thanks again
January 28th, 2010 10:02pm

Hi,The self-signed certificate is usuable at certain period of time, I think 1 yr (correct me if i'm wrong). If you need a certificate that will work longer than the self-signed and your edge server uses TLS then you need your CA to validate your certificate.Again,the Edge server can create a self signed certificate, however it needs to be validated by your Certificate Authority Server, once you submit a certificate request from your CA, it'll give you a certificate file (certfilename.cer) which you will run the "import-exchangecertificate -path c:\yourcertificate.cer | enable-exchangecertificate -services SMTP".It's also stated in the technet that "Use the New-ExchangeCertificate cmdlet to create a self-signed certificate, renew an existing self-signed certificate, or generate a new certificate request for obtaining a certificate from a certification authority (CA)."Lastly, this also will work "As far as I know I just create the cert on the EdgeTransport and enable it on the EdgeTransport and then just go through a regular re-subcription process for the HubTransport (generate the new subscription file, copy to HubTransport and then run the new-EdgeSubscription cmd)". The above scenario is another approach, you can choose which is most convenient on you and can address your requirements.Let me know on the progress and if you need to clarify something.Thanks.LRMCP
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2010 5:09am

Thanks for the really clear reply. I will get this done over the next week or so and let you know. Many thanks,
January 29th, 2010 9:56pm

I successfully ran the following commands and all is well. Thanks for all your help !!!! Get-ExchangeCertificate | list (to see list of certs on server) Get-ExchangeCertificate <thumbprint of cert about to expire> | New-ExchangeCertificate (To clone the existing cert ) Get-TransportServer | Format-List Name,InternalTransportCertificateThumbprint (to verify which cert is being used) I then re-subscribed the EdgeTransport to the HubTransport server New-EdgeSubscription -FileName "C:\Temp\EdgeSubscriptionInfo.xml" (on EdgeTransport) Copy the xml file to the HubTransport Import-exchangecertificate -path "C:\Temp\EdgeSubscriptionInfo.xml" (on the HubTranpsort) Test-EdgeSynchronization (on the Hub Transport) **** NOTE - I had to restart the ADAM service on the EdgeTransport server to get the sync to work *****
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2010 12:55am

Hi Hubbardt I see all went well with the renewal. after cloning the certificate did you have to run the:( Enable-ExchangeCertificate -Thumbprint "new thumbprint -Service SMTP) command on the edge server?
April 15th, 2010 12:29am

Hi, I actually didn't have to run the Enable-ExchangeCertificate command. SMTP is enabled by default.If I was using this cert for other stuff (like POP or IIS) then I would probably have had to run the command but we are using a 3rd party cert for that instead.i.e. we use self signed cert for internal SMTP communications and 3rd party cert for IIS Hope this helps
Free Windows Admin Tool Kit Click here and download it now
April 16th, 2010 6:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics