Announcement

Collapse
No announcement yet.

Error while Importing New SSL Cert

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Error while Importing New SSL Cert

    Hi every1

    As my SSL certificate expired and requested for new 3rdParty SAN/UCC certificate to install, when i tried to Enable got following error.

    SAN - Server1.MyDomain.com, www.Server1.MyDomain.com, mail.MyDomain.com, MyDomain.com, autodiscover.MyDomain.com, Server1

    Enable-ExchangeCertificate -Services "SMTP" -Thumbprint XXXX07A538A3A046EF2FB63131XX592A7C681B1D

    WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail.mydomain.com' because the CA-signed certificate with thumbprint 'F39B1C05F5E386B5A05D2F47EB67E726DA4EE2E7' takes precedence. The following connectors match that FQDN: Internet SMTP Receive Connector(mail.mydomain.com).

    Confirm
    Overwrite existing default SMTP certificate,
    'F39B1C05F5E386B5A05D2F47EB67E726DA4EE2E7' (expires 12/26/2008 8:15:03 AM),
    with certificate 'XXXX07A538A3A046EF2FB63131XX592A7C681B1D' (expires 2/7/2011
    12:59:12 PM)?


    Send Connector:
    MAIL.MyDomain.com

    Receive Connector:
    Server1.MyDomain.com
    mail.MyDomain.com

    Please advice me...

    Thanx in advance
    Last edited by khantmk; 7th February 2010, 17:06.

  • #2
    Re: Error while Importing New SSL Cert

    What did you set as the common name on the certificate?
    Ideally that should be the same name used for SMTP traffic, because other SMTP servers cannot "see" the additional names.

    So the practise I follow is to use mail.example.com for SMTP, OWA, POP, IMAP, EAS and have it set as the common name on the certificate. Then the server's FQDN and NETBIOS and the autodiscover.example.com are set as additional names.

    Therefore Exchange is using a certificate with a common name that matches the FQDN on the connector so that SSL traffic can be used.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Error while Importing New SSL Cert

      Actually i purchased UCC SSL Certificate from Godaddy.com and downloaded the certificate which has file name(common Name) as Server1.MyDomain.com.crt.

      Regards,
      Noorulla Khan
      Last edited by khantmk; 8th February 2010, 12:45.

      Comment


      • #4
        Re: Error while Importing New SSL Cert

        There is your problem then.
        You need to cancel the certificate and do a new request, with the common name set correctly.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Error while Importing New SSL Cert

          Hi

          Now I received New UCC SSl Certificate with common name as mail.MyDomain.com but getting same WARNING. If l look at Certificate store ihave old certificate with same common name exist. Do i need to remove it before enabling it.

          Thanx in advance

          Comment


          • #6
            Re: Error while Importing New SSL Cert

            Hi

            The output of Get-ExchangeCertificate | list

            AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
            .Security.AccessControl.CryptoKeyAccessRule, System.Securi
            ty.AccessControl.CryptoKeyAccessRule}
            CertificateDomains : {mail.MyDomain.com, www.mail.MyDomain.com, MyDomain.com, autodis
            cover.MyDomain.com, server1.MyDomain.com, server1}
            HasPrivateKey : True
            IsSelfSigned : False
            Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
            thority, OU=http://certificates.godaddy.com/repository, O=
            "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
            NotAfter : 2/9/2011 8:51:45 AM
            NotBefore : 2/9/2010 8:51:45 AM
            PublicKeySize : 2048
            RootCAType : Unknown
            SerialNumber : 04379CA771EE28
            Services : IMAP, POP, SMTP
            Status : Invalid
            Subject : CN=mail.MyDomain.com, OU=Domain Control Validated, O=mail.az
            meel.com
            Thumbprint : DBA567F80F1E9EEFD47AF8C9C57D928FA4498977

            AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
            .Security.AccessControl.CryptoKeyAccessRule, System.Securi
            ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
            ssControl.CryptoKeyAccessRule}
            CertificateDomains : {server1, server1.MyDomain.com}
            HasPrivateKey : True
            IsSelfSigned : True
            Issuer : CN=server1
            NotAfter : 5/21/2009 12:50:12 AM
            NotBefore : 5/21/2008 12:50:12 AM
            PublicKeySize : 2048
            RootCAType : Unknown
            SerialNumber : A105133D59EFA7844B18CA5E0FBB01BF
            Services : IMAP, POP, SMTP
            Status : Invalid
            Subject : CN=server1
            Thumbprint : 0F28A69D5B00AF3715F851744520562CAD7803A7

            AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
            .Security.AccessControl.CryptoKeyAccessRule, System.Securi
            ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
            ssControl.CryptoKeyAccessRule}
            CertificateDomains : {mail.MyDomain.com, www.mail.MyDomain.com}
            HasPrivateKey : True
            IsSelfSigned : False
            Issuer : [email protected], CN=Starfield Secure Certifi
            cation Authority, OU=http://www.starfieldtech.com/reposito
            ry, O="Starfield Technologies, Inc.", L=Scottsdale, S=Ariz
            ona, C=US
            NotAfter : 12/26/2008 8:15:03 AM
            NotBefore : 12/26/2006 8:15:03 AM
            PublicKeySize : 1024
            RootCAType : ThirdParty
            SerialNumber : 3F1472
            Services : SMTP
            Status : DateInvalid
            Subject : CN=mail.MyDomain.com, OU=Domain Control Validated, O=mail.az
            meel.com
            Thumbprint : 0F9B1C05F5E386B5A05D2F47EB67E726DA4EE2E7

            get-transportserver Server1 | fl

            InternalTransportCertificateThumbprint : 0F9B1C05F5E386B5A05D2F47EB67E726DA4EE2E7

            Thanx in advance
            Last edited by khantmk; 9th February 2010, 15:46.

            Comment


            • #7
              Re: Error while Importing New SSL Cert

              The two other certificates are both invalid, so retaining them is pointless. They should be removed and then Exchange Transport Service restarted.

              Changes do not take effect until transport is restarted.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Error while Importing New SSL Cert

                Hi Sembee

                I tried to get rid of those old certificate which currently tiedup with Tranport Service but ending up with error as follows.

                Remove-ExchangeCertificate : The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

                If i tried to Enable new certificate but ending up with Warning as follows

                WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail.mydomain.com' because the CA-signed certificate with thumbprint 'F39B1C05F5E386B5A05D2F47EB67E726DA4EE2E7' takes precedence. The following connectors match that FQDN: Internet SMTP Receive Connector(mail.mydomain.com).

                Regards,

                Comment


                • #9
                  Re: Error while Importing New SSL Cert

                  You will need to change the FQDN on the receive connector. Change it to either server or null so it is blank. Then restart transport services and attempt to change the certificate again.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: Error while Importing New SSL Cert

                    HI Simon

                    I have two receive connectors(Client and Internet) server1.mydomain.com and mail.mydomain.com. Should i change FQDN of both to NULL??

                    Bye

                    Comment


                    • #11
                      Re: Error while Importing New SSL Cert

                      You should either change them both to null or change them both to the common name on the SSL certificate.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment


                      • #12
                        Re: Error while Importing New SSL Cert

                        Thanx for your guidance and help...Successfully able to enable the newly installed certificate and deleted the old cerficiate. but when i see the result of
                        Get-ExchangeCerficate | fl

                        AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
                        .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                        ty.AccessControl.CryptoKeyAccessRule}
                        CertificateDomains : {mail.MyDomain.com, www.mail.MyDomain.com, MyDomain.com, autodis
                        cover.MyDomain.com, Server1.MyDomain.com, Server1}
                        HasPrivateKey : True
                        IsSelfSigned : False
                        Issuer : SERIALNUMBER=07999287, CN=Go Daddy Secure Certification Au
                        thority, OU=http://certificates.godaddy.com/repository, O=
                        "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
                        NotAfter : 2/9/2011 8:51:45 AM
                        NotBefore : 2/9/2010 8:51:45 AM
                        PublicKeySize : 2048
                        RootCAType : Unknown
                        SerialNumber : 0437999771EE28
                        Services : IMAP, POP, SMTP
                        Status : Invalid
                        Subject : CN=mail.MyDomain.com, OU=Domain Control Validated, O=mail.az
                        meel.com
                        Thumbprint : DBA567F80F1E9EEFD47AF8C9C57D928FA4498977

                        Why its showing Status as Invalid??? In Event Viewer still getting the Error code 12014 and 12016...

                        Thanx in advance...
                        Last edited by khantmk; 20th February 2010, 16:57.

                        Comment


                        • #13
                          Resolved...

                          My Problem is solved now...Actually there is clear instruction from GoDaddy that should follow the instruction given below..

                          Expand the Trusted Root Certification Authorities folder
                          Double-click the Certificates folder to show a list of all certificates.
                          Find the Go Daddy Class 2 Certification Authority certificate.
                          Right-click on the certificate and select Properties.
                          Select the radio button next to Disable all purposes for this certificate.
                          Click OK.

                          I must thanx Mr. Simon for his Kind Co-operation to resolve my issue...Once again thank you very much for your valuable time...

                          Comment

                          Working...
                          X