Edge server CA certificate issue

ankit ricky 1 Reputation point
2022-03-30T18:39:06.64+00:00

After installing wildcard certificate from Geotrust I am facing this issue.

Exchange 2019

[PS] C:\Windows\system32>New-EdgeSubscription -FileName "c:\edgesubscription_2022_03_30-1.xml"

Confirm
If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result, any of the following objects that were created
manually will be deleted: accepted domains, message classifications, remote domains, and Send connectors. After creating the Edge Subscription, you must manage these
objects from inside the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the TransportConfig object will be
overwritten during the synchronization process.
EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Mailbox servers in the Active Directory site to which the Edge Transport server
is being subscribed, and those Mailbox servers be able to resolve the FQDN of this Edge Transport server. You should complete the Edge Subscription inside the
organization in the next "1440" minutes before the bootstrap account expires.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
New-EdgeSubscription : Edge subscription only supports Cryptographic API certificates. The default certificate with thumbprint
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx for this subscription isn't a CAPI certificate. Use Enable-ExchangeCertificate -Services SMTP to set a CAPI certificate as
the default certificate.
At line:1 char:1

  • New-EdgeSubscription -FileName "c:\edgesubscription_2022_03_30-1.xml"
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : ObjectNotFound: (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:String) [New-EdgeSubscription], InvalidOperationException
  • FullyQualifiedErrorId : [Server=xxxxxxxxxxxxxxx,RequestId=xxxxxxxxxxxxxxxxxx,TimeStamp=3/30/2022 4:48:12 PM] [FailureCategory=Cmdlet-InvalidOper
    ationException] 48C85741,Microsoft.Exchange.Management.SystemConfigurationTasks.NewEdgeSubscription

[PS] C:\Windows\system32>get-exchangeserver |fl name,edition,admindisplayversion

Name : xxxxxxxxxxxx
Edition : Standard
AdminDisplayVersion : Version 15.2 (Build 792.3)

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,503 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Joyce Shen - MSFT 16,651 Reputation points
    2022-03-31T05:13:28.977+00:00

    Hi @ankit ricky

    The error information you shared above indicates the certificate you are using is not a CAPI certificate.

    So here we could consider Use OpenSSL to convert the CNG certificate to a CAPI1 certificate. This thread discussed the similar issue as well:
    EDGE & SHA256 RRS feed
    188540-%E6%88%AA%E5%B1%8F2022-03-31-%E4%B8%8B%E5%8D%88125855.png

    Detailed information can be found here as well: Edge Transport Server, EdgeSync, and Certificates
    Please Note: Since this website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. ankit ricky 1 Reputation point
    2022-04-01T04:41:56.767+00:00

    Hi joyceshen,

    I did this and every other thing, which was available over the internet still not able to resolve the issue.

    https://granikos.eu/edge-transport-server-edgesync-and-certificates/
    https://github.com/MicrosoftDocs/OfficeDocs-Support/blob/public/Exchange/ExchangeHybrid/email-delivery/email-sent-from-edge-transport-server-appears-as-mail-from-external-contacts.md

    I just want to know does edge server accept CA signed certificate or we have to used self signed certificates.

    Thank you

    0 comments No comments

  3. Joyce Shen - MSFT 16,651 Reputation points
    2022-04-01T05:24:55.973+00:00

    Hi @ankit ricky

    When installing an Exchange Edge Transport server a self-signed certificate is created and configure for use with the SMTP Transport server. The self-signed certificate has the NetBIOS hostname as the Common Name and the FQDN in the Subject Alternate Names field.

    And generally there is no need to replace this self-signed certificate.(applied to Exchange 2019 as well)
    189035-image.png

    And take a reference at the steps introduced below, compare with the steps you have performed:

    If you really want to replace the self-signed certificate on the Exchange 2013 Edge Transport server
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. ankit ricky 1 Reputation point
    2022-04-01T09:59:29.173+00:00

    Hi joyceshen,

    Thank you for the update, sorry to ask the same question again but I want to highlight something, we have edge transport server in DMZ zone facing internet traffic and then it will send the data to the backend 2 exchange server which is inside the network in local, so how can I secure the edge transport server facing internet if I use a self-signed certificate.

    Can we use the wildcard certificate on Edge transport server which is in DMZ.

    If so how can we configure the same, please share some article for the same that will be helpful.

    Regards

    0 comments No comments

  5. ankit ricky 1 Reputation point
    2022-04-03T05:05:47.84+00:00

    Hi joyceshen,

    Thank you for replying back so quick, I found the solution to my problem.
    Basically there are 2 connectors on edge transport server 1. from internet to edge and 2. edge to backend exchange servers and you should apply third party SSL certificate only to first connector and second connector will use self-signed certificate. when asked for apply SSL certificate to SMTP service don't make it default for both the connector opt for No and apply to internet facing connector..

    189492-image.png

    Thank you

    0 comments No comments