Exchange 2007 Certificate Errors

I received several certificate errors when attempting to connect Outlook to Exchange 2007.  This is because Outlook 2007 and Exchange 2007 encrypt all communications between themselves.  The solution was to create a new certificate (using Exchange PowerShell) for the intranet.  The relevent Microsoft Article can be found here:

http://technet.microsoft.com/en-us/library/aa995942.aspx

**This article says to use the same cert for IIS however, to use a third party cert (i.e. from Thawte) don’t include IIS when assigning the certficate to services.  If you do (as I originally did) use the following command:

Get-ExchangeCertificate -DomainName “<Exchange-Server-Name>” 

to get the thumbprint of the third party certificate and then use the command:

Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services “IIS,SMTP”

to assign it to IIS and SMTP (see below).

I was then noticing some issues with Outlook Anywhere and found the following in the event log:

Product:
Exchange

ID:
12014

Source:
MSExchangeTransport

Version:
8.0

Symbolic Name:
CannotLoadSTARTTLSCertificateFromStore

Message:
Microsoft Exchange couldn’t find a certificate that contains the domain name %1 in the personal store on the local computer. Therefore, it is unable support the STARTTLS SMTP verb for the connector %2 with a FQDN parameter of %1 (if connector’s FQDN is not specified, the machine’s FQDN is used). Verify that connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that connector FQDN. If this certificate exists, run Enable-ExchangeCertificate –services SMTP to ensure transport service has access to its key.

Explanation

This Warning event indicates that there is a problem loading a certificate to be used for STARTTLS purposes. Generally, this problem occurs if one or both of the following conditions is true:

  • The fully qualified domain name (FQDN) that is specified in the Warning event has been defined on a Receive connector or Send connector on a Microsoft Exchange Server 2007 transport server, and no certificate is installed on the same computer that contains the FQDN in the Subject or Subject Alternative Name fields.
  • A third-party or custom certificate has been installed on the server and it contains a matching FQDN. However, the certificate is not enabled for the SMTP service.

To fix this, I simply ran the command referenced above (Enable-ExchangeCertificate…) to assign the Thawte cert to the SMTP service.