Inserting a Self Signed Certificate into Exchange 2010

Recently I made the mistake of removing some of the default self signed certificates within Exchange, because I already had a wildcard certificate installed on it. Big mistake. Now my event log is filling up with TLS/SSL SMTP and POP3 errors, and certain company applications aren’t working.

Event ID: 1102 Source: MSExchangePop3
The POP3 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.

Event ID: 12014 Source: MSExchangeTransport
Microsoft Exchange could not find a certificate that contains the domain name mail-example.example.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Example.com-Gmail with a FQDN parameter of mail-example.example.local. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I tried re-importing the certs, but Exchange would go through the motions, and then not import the certificates. After banging my head against the wall for a while, I figured out that creating self signed certificates via the Exchange Management Console simply doesn’t work. I had to open the Exchange Management Powershell Console, and run the following command to get it to work:

computer name: mail-example.example.local (I’m leaving out the public name, as I already have a wildcard cert for that)

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" \
-SubjectName "cn=mail-example.example.local" \
-DomainName mail-example.example.local mail-example \
-PrivateKeyExportable $True

If you can’t install the certificate, ensure that a certificate with the same name doesn’t exist within IIS. When I ran this, it wanted to know if I wanted to overwrite the certificate (the wildcard) on the public SMTP connector. I selected NO, and it installed it on the rest of the services, which fixed the issue.

This entry was posted in Exchange and tagged , , , , , , . Bookmark the permalink.

Comments are closed.