This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 49%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
After installing wildcard certificate from Geotrust I am facing this issue.
Exchange 2019
[PS] C:\Windows\system32>New-EdgeSubscription -FileName "c:\edgesubscription_2022_03_30-1.xml"
Confirm
If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result, any of the following objects that were created
manually will be deleted: accepted domains, message classifications, remote domains, and Send connectors. After creating the Edge Subscription, you must manage these
objects from inside the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the TransportConfig object will be
overwritten during the synchronization process.
EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Mailbox servers in the Active Directory site to which the Edge Transport server
is being subscribed, and those Mailbox servers be able to resolve the FQDN of this Edge Transport server. You should complete the Edge Subscription inside the
organization in the next "1440" minutes before the bootstrap account expires.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
New-EdgeSubscription : Edge subscription only supports Cryptographic API certificates. The default certificate with thumbprint
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx for this subscription isn't a CAPI certificate. Use Enable-ExchangeCertificate -Services SMTP to set a CAPI certificate as
the default certificate.
At line:1 char:1
[PS] C:\Windows\system32>get-exchangeserver |fl name,edition,admindisplayversion
Name : xxxxxxxxxxxx
Edition : Standard
AdminDisplayVersion : Version 15.2 (Build 792.3)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @ankit ricky
The error information you shared above indicates the certificate you are using is not a CAPI certificate.
So here we could consider Use OpenSSL to convert the CNG certificate to a CAPI1 certificate. This thread discussed the similar issue as well:
EDGE & SHA256 RRS feed
Detailed information can be found here as well: Edge Transport Server, EdgeSync, and Certificates
Please Note: Since this website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi joyceshen,
I did this and every other thing, which was available over the internet still not able to resolve the issue.
https://granikos.eu/edge-transport-server-edgesync-and-certificates/
https://github.com/MicrosoftDocs/OfficeDocs-Support/blob/public/Exchange/ExchangeHybrid/email-delivery/email-sent-from-edge-transport-server-appears-as-mail-from-external-contacts.md
I just want to know does edge server accept CA signed certificate or we have to used self signed certificates.
Thank you
Hi @ankit ricky
When installing an Exchange Edge Transport server a self-signed certificate is created and configure for use with the SMTP Transport server. The self-signed certificate has the NetBIOS hostname as the Common Name and the FQDN in the Subject Alternate Names field.
And generally there is no need to replace this self-signed certificate.(applied to Exchange 2019 as well)
And take a reference at the steps introduced below, compare with the steps you have performed:
If you really want to replace the self-signed certificate on the Exchange 2013 Edge Transport server
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi joyceshen,
Thank you for the update, sorry to ask the same question again but I want to highlight something, we have edge transport server in DMZ zone facing internet traffic and then it will send the data to the backend 2 exchange server which is inside the network in local, so how can I secure the edge transport server facing internet if I use a self-signed certificate.
Can we use the wildcard certificate on Edge transport server which is in DMZ.
If so how can we configure the same, please share some article for the same that will be helpful.
Regards
Hi joyceshen,
Thank you for replying back so quick, I found the solution to my problem.
Basically there are 2 connectors on edge transport server 1. from internet to edge and 2. edge to backend exchange servers and you should apply third party SSL certificate only to first connector and second connector will use self-signed certificate. when asked for apply SSL certificate to SMTP service don't make it default for both the connector opt for No and apply to internet facing connector..
Thank you