Exchange (Multirole + Edge) and certificate from local CA.

Question

Exchange (Multirole + Edge) and certificate from local CA.

Pawel Jarosz 61

Hi Everyone,

I am setting up certificates in really simple on-prem environment - 2 servers: 1st - multirole (no mailboxes, just for simple relay and O365 management), 2nd - edge role.

Everything works when I generate certificate directly in Exchange, however when trying to use the certificate from the local CA emails are stuck in the queue on multirole server. The root certificate is added to the trusted root store on the edge server. I do not really have any more ideas on what can be done, what I've done was:

Generate new subscription file on edge
Enabled local CA certificate on multirole server for all the services (IIS,SMTP,POP,IMAP)
Imported build new subscription on multirole server based on the subscription file
Started the synchronization
Rebooted the servers

Synchronization seems to be ok - got susscesss state, however messages sit in the queue on multirole server with no willingness to go to the edge server, any ideas what step do I miss?

Cheers,
J

1 answer

Your answer

Answer 1

Anonymous

Hi @PawelJarosz-0356 ,

Please first check the OWA and EAC(ECP), if they are good then we could bypass the cert.
And what does the multirole means? Mailbox + ClientAccess? What's your Exchange server, is it 2013? And have you added the CA certificate to the trusted root store on Multirole server?
Sorry I don't know how you sent the emails without mailboxes. Please share more info so we can know this issue better.

Regards,
Lou

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Pawel Jarosz 61 Reputation points

2021-03-23T21:34:03.35+00:00

Hi,

ECP looks good - it opens and all is good apart from that it says it is not trusted.

These servers are Exchange 2019 CU8 servers, installed on Windows Server 2019 core.

There was on-premises infra but all mailboxes were migrated to the cloud, and local Exchange has been left just to manage mailboxes and it is used as a relay server (apps send from it with no authorization).

Cheers,
J
Anonymous

2021-03-24T05:42:36.047+00:00

Hi @PawelJarosz-0356 ,

Hybrid? Based on my knowledge, it requires the third-party business certificate. Certificate requirements for hybrid deployments

Regards,
Lou
Pawel Jarosz 61 Reputation points

2021-03-24T06:54:49.557+00:00

Well it is not hybrid by all it means - no mailboxes locally, all in O365, MX is also in O365. One more time - we use this server only to manage remote mailboxes / DLs and as a relay server. There is a send connector that sends messages from Multirole (relay server) to the Edge server and from Edge to O365. However when switching from Exchange generated certificate to CA generated certificate messages got stuck on the Multirole server - they won't go to Edge server.
Anonymous

2021-03-24T07:14:57.88+00:00

Hi @PawelJarosz-0356 ,

Oh sorry for a misunderstand.

Will OWA be the same with ECP (not trusted)? If so, please check if the certificate has been in the Trusted Root and the frontend/backend are using this cert:

Please create two local mailboxes and test the mailflow.
If this fails, I think you may check the certificate in your root.

https://www.azure365pro.com/how-to-use-a-internal-windows-ca-certificate-authority-in-windows-2012-with-exchange-2013/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Regards,
Lou
Anonymous

2021-03-24T07:18:13.737+00:00

Also if you run Get-Queue | FL in EMS, will the LastError part show anything useful?
Anonymous

2021-04-02T02:10:14.11+00:00

Hi @PawelJarosz-0356 ,

It has been a long time since last reply, did these suggestions help you? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer to close this thread. Your action would be helpful to other users who encounter the same issue and read this thread.

Regards,
Lou

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Exchange (Multirole + Edge) and certificate from local CA.

1 answer

Your answer