Microsoft Exchange self signed cert missing

Gavin Ross 231 Reputation points
2021-03-10T17:47:44.32+00:00

I noticed in the event viewer that there was an error related to a certificate.

Microsoft Exchange could not find a certificate that contains the domain name SERVERNAME.domainname.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVERNAME with a FQDN parameter of SERVERNAME.domainname.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

After checking the certificates, I noticed that the "Microsoft Exchange" Self Signed cert is missing from the list of certificates. I checked all the other servers and they all have that cert so the issue is only on the one server. Does anyone know how I can recreate that certificate so I can fix this error?

Thanks,
Gavin

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,483 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gavin Ross 231 Reputation points
    2021-03-10T20:59:43.827+00:00

    I figured out a way to create the cert, I used the SAN cert that we have on IIS and added it to the Exchange Back End in IIS, after I did this, I was able to open the Exchange Management Shell and manually create the cert. I then changed the cert in Exchange Back End to the newly created cert and was able to open the Shell again without any errors. The error in the event logs has also been cleared.


2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 144.8K Reputation points MVP
    2021-03-10T18:37:17.887+00:00

    You can create it in EAC:
    https://learn.microsoft.com/en-us/exchange/architecture/client-access/create-self-signed-certificates?view=exchserver-2019
    For the domain, use the server's FQDN and its Netbios name

    so:

    ServerName
    and
    SERVERNAME.domainname.com

    Then ensure its bound to the backend website on the Exchange Server. you can do that from my blog: ( Or what cert is assigned to that now?)

    https://ehloergosum.com/2020/01/25/renewing-that-pesky-microsoft-exchange-certificate/

    0 comments No comments

  2. Gavin Ross 231 Reputation points
    2021-03-10T19:58:04.797+00:00

    So I am trying to add it using Exchange powershell as I can't seem to get the correct names when using ECP, adds abunch of other names to the cert that I dont want. So when trying to open PS, I get this error;

    New-PSSession : [servername.domainname.com] Connecting to remote server servername.domainname.com failed with the following error message :
    [ClientAccessServer=SERVERNAME,BackEndServer=servername.domainname.com,RequestId=802d0eac-210b-4738-9549-704ef08548d2,TimeStamp=3/10/2021 4:24:51 PM]
    [FailureCategory=Cafe-SendFailure] For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1

    • New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    • FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed

    Any ideas on what is causing this?