Hi Sir's,

I have a problem regarding exchange server 2007, kindly review and check my problem.

Microsoft Exchange couldn't find a certificate that contains the domain name mail.maritimeclinic.net in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Outgoing email with a FQDN parameter of mail.maritimeclinic.net. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I already read some of the answer here but I'd still having this problem.

Thanks in advance!

Warm Regards,

Sean Rivera

Here is my get cert

[PS] C:\Documents and Settings\Administrator.MCIS>Get-ExchangeCertificate |FL


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mcismail, mcismail.mcis.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mcismail
NotAfter           : 8/5/2014 4:43:41 PM
NotBefore          : 8/5/2013 4:43:41 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : EDD362225018A7954A3A61583E878CAD
Services           : SMTP
Status             : Valid
Subject            : CN=mcismail
Thumbprint         : ED9927F58A1301C74676CEF4C43087BCFA4FD61C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mcis-mail, mcis-mail.mcis.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mcis-mail
NotAfter           : 4/26/2014 3:26:58 PM
NotBefore          : 4/26/2013 3:26:58 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : B0740C0BB72161894C25B261ABC5AAB3
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=mcis-mail
Thumbprint         : 2C0F01DEF4B679B46E8D733C3B04399B4DE26F50

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mcis-mail, mcis-mail.mcis.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mcis-mail
NotAfter           : 4/26/2014 2:17:36 PM
NotBefore          : 4/26/2013 2:17:36 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : AC22FFDBBD9EA7964AF1DD0FD9B473F5
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=mcis-mail
Thumbprint         : E0C62BCBD770FA14ACE1F8C4B9D4DD3D7677C6AE
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mcis-mail, mcis-mail.mcis.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mcis-mail
NotAfter           : 4/25/2014 4:50:59 PM
NotBefore          : 4/25/2013 4:50:59 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 3C3AAE3E9D9337A64F851DD7EAD47B1C
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mcis-mail
Thumbprint         : 0439A380353852C6816FB61B76B6AD2A930C9316

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mcismail, mcismail.mcis.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mcismail
NotAfter           : 12/27/2013 8:38:22 AM
NotBefore          : 12/27/2012 8:38:22 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : D001198DED84D19F4BDA9CF3742D7AFB
Services           : SMTP
Status             : Valid
Subject            : CN=mcismail
Thumbprint         : F7FB5A442CB5F10F34FEC38C90B2901E78064EB0

Hi there.

First you have to make sure that your certificate is valid for exchange follow this step.

1. On your CAS Server , run > MMC > Files > Add,Remove Snapin > Certificate click add and choose computer account and next next and next.
2. On Certificate MMC , you expand "Certificates (local Computer)" and then Expand personal . Then goes to cetificates folder. In this folder you will see certificate that install on this CAS.
3. Looking for the certificate that you install for Exchange Service. If you see the red cross it's mean this certificate invalid for exchange.

4. If it's not invalid , double click on that certificate and goes to "Certificate path" . If your root certificate has red cross. That's mean you CAS Server doesn't install root certificate yet.
(Actually it will automatic deploy from root CA if you have).

If your CAS server don't have root certificate. Just install it on this CAS server.
(remind that install root certificate by manually is not normal case for member server in AD. you have to fix it).

Hi Sir,

I'd think your resolution will only fix Exchange 2013 not 2007.

My Exchange Server is 2007, and I have this 5 thumbprint, the 3 is for the correct common name which is mcis-mail (with dash), and the 2 incorrect common name which is mcismail (without dash).

The SMTP service is running trough the 5 common name and thumbprint.

The problem is the FQDN of the domain name.

Thanks for the answer and to the others who is willing to help!!

Godbless.

And where can I find the Client Access Server?

My domain and mailbox is in different physical server.

Thank you.

Hi Sir

All of my certificate is not trusted. what will i do now?

Hi Sean,

• To find where the CAS role is installed, we can run Get-ClientAccessServer.

 For more information: http://technet.microsoft.com/en-us/library/bb124785(v=EXCHG.80).aspx

• To make the mcismails thumbprint valid, we can run the following command:

  Export-ExchangeCertificate Thumbprint F7FB5A442CB5F10F34FEC38C90B2901E78064EB0

  Export-ExchangeCertificate Thumbprint ED9927F58A1301C74676CEF4C43087BCFA4FD61C

• From your description, the domain name isnt in a certificate. And  we can validate it by the following steps.

1.generate a certificate request by running the command:

 New-ExchangeCertificate -DomainName mail.maritimeclinic.net -SubjectName "c=coutry, l=YourLocalityOrCity, s=YourStateOrProvince, o=YourCompanyInc, cn=YourFirstDomain.com" -KeySize 2048  -GenerateRequest:$True -PrivateKeyExportable:$True  -path c:\request.txt

2. import it: Import-exchangecertificate path <full path to cert file>

3.determine the thumbprint of a certificate:

Get- ExchangeCertificate -DomainName mail.maritimeclinic.net

4.enable it: Enable-exchangecertificate services IIS, POP, IMAP, SMTP  thumbprint <certificate-thumbprint>

• About the untrusted certificate in the console root, you can try Supawats suggestion.

 Here are a similar thread that has been resolved.

 http://social.technet.microsoft.com/Forums/windowsserver/en-US/d68e7667-d66c-4f30-9bb8-b31ef01d42bf/certificate-error-untrusted-certificate

  And you are also welcomed to write a post on our development forum to confirm it.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=windowsserver

If you have any issues, please feel free to let me know.

Best regards