Recently I made the mistake of removing some of the default self signed certificates within Exchange, because I already had a wildcard certificate installed on it. Big mistake. Now my event log is filling up with TLS/SSL SMTP and POP3 errors, and certain company applications aren’t working.
Event ID: 1102 Source: MSExchangePop3
The POP3 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.
Event ID: 12014 Source: MSExchangeTransport
Microsoft Exchange could not find a certificate that contains the domain name mail-example.example.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Example.com-Gmail with a FQDN parameter of mail-example.example.local. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
I tried re-importing the certs, but Exchange would go through the motions, and then not import the certificates. After banging my head against the wall for a while, I figured out that creating self signed certificates via the Exchange Management Console simply doesn’t work. I had to open the Exchange Management Powershell Console, and run the following command to get it to work:
computer name: mail-example.example.local (I’m leaving out the public name, as I already have a wildcard cert for that)
New-ExchangeCertificate -FriendlyName "SelfSigned Cert" \ -SubjectName "cn=mail-example.example.local" \ -DomainName mail-example.example.local mail-example \ -PrivateKeyExportable $True
If you can’t install the certificate, ensure that a certificate with the same name doesn’t exist within IIS. When I ran this, it wanted to know if I wanted to overwrite the certificate (the wildcard) on the public SMTP connector. I selected NO, and it installed it on the rest of the services, which fixed the issue.