cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cant set smtp tls certificate for send-connector

lug-ms
Copper Contributor

‎Dec 17 2020 06:17 AM - edited ‎Dec 17 2020 06:18 AM

‎Dec 17 2020 06:17 AM - edited ‎Dec 17 2020 06:18 AM

Cant set smtp tls certificate for send-connector

I have an Exchange in Hybrid Mode with O365.

After renewing the certificate (not self signed, its from sectigo) I cant assign it to SMTP, and therefore I cannot assign it to the "Outbound to O365" Connector.

I am running Exchange Server 2016 CU18

 

Steps to reproduce:

 

$Cert = Get-ExchangeCertificate -Thumbprint *example*
$tlscertname = "<i>$($Cert.Issuer)<s>$($Cert.Subject)"

$tlscertname
<i>CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB<s>CN=*.example.org

Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname

 

 

Output: 

 

Das angegebene Zertifikat ist nicht für das SMTP-Protokoll aktiviert. Nur Zertifikate, die für das SMTP-Protokoll aktiviert sind,
können für Sendeconnectors festgelegt werden. Um ein Zertifikat für SMTP zu aktivieren, verwenden Sie das Cmdlet
"Enable-ExchangeCertificate".
+ CategoryInfo : InvalidOperation: (Outbound to Office 365:ADObjectId) [Set-SendConnector], InvalidOperationException
+ FullyQualifiedErrorId : [Server=EXCHANGE2016,RequestId=5299e36d-0cfd-41b0-94a8-0ef459bd7034,TimeStamp=17.12.2020 14:10:50] [Fa
ilureCategory=Cmdlet-InvalidOperationException] 7B5AFD30,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector
+ PSComputerName : exchange2016.int.example.org

 

 

Alright, So I execute:

 

Enable-ExchangeCertificate -Thumbprint *example* -Services SMTP

 

 

This executes without any error or success message, but it does nothing.

 

The only cert with smtp role is:

 

 

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Federation}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Federation
NotAfter : 19.11.2023 08:02:45
NotBefore : 19.11.2018 08:02:45
PublicKeySize : 2048
RootCAType : None
SerialNumber : *example*
Services : SMTP, Federation
Status : Valid
Subject : CN=Federation
Thumbprint : *example*

 

 

Assing my cert to smtp with the ECP doesn't do anything either.

 

I have tried a wildcard cert *.example.org and a cert with exactly the hosts fqdn exchange2016.example.org, both don't work.

I also updated from CU 17 to CU 18, but that didn't help.

Labels:
11.5K Views
0 Likes
10 Replies
Reply
10 Replies
Dominik Hoefling

‎Dec 17 2020 10:50 AM

‎Dec 17 2020 10:50 AM

Re: Cant set smtp tls certificate for send-connector

@lug-ms you should run HCW version 17.x (newest) and let the agent do the job. Certificate replacement requires to re-run HCW and this should then work without any problem.

0 Likes
Reply
lug-ms

‎Dec 17 2020 10:56 AM

‎Dec 17 2020 10:56 AM

Re: Cant set smtp tls certificate for send-connector

@Dominik Hoefling
The hcw does the same thing in powershell, and fails with the same error, see attachment
Preview file
97 KB
0 Likes
Reply
Dominik Hoefling

‎Dec 17 2020 11:00 AM

‎Dec 17 2020 11:00 AM

Re: Cant set smtp tls certificate for send-connector

@lug-ms are there other certificates bound to the SMTP service? If you run Get-ExchangeCertificate you should see all thumbprints and services (S stands for SMTP).

0 Likes
Reply
lug-ms

‎Dec 17 2020 11:02 AM

‎Dec 17 2020 11:02 AM

Re: Cant set smtp tls certificate for send-connector

@Dominik Hoefling 

 

Yes, the federation certificate is bound to SMTP, which probably automatically happened when removing the old certificate from the server.

You can see more details about the federation cert in my starting post ;)

0 Likes
Reply
Dominik Hoefling

‎Dec 17 2020 11:07 AM

‎Dec 17 2020 11:07 AM

Re: Cant set smtp tls certificate for send-connector

@lug-ms I didn't understand it because you said the only certificate that has SMTP is the Federation certificate, but then you mentioned that enabling the smtp service on the new certificate has been successful. So this means there are two certificates with the SMTP service but the "real" one does not work for hybrid (error message), is this correct?

 

If yes, you can disable the SMTP service for the federation certificate and the new certificate, then just enable it for the new certificate again with the same cmdlet. To disable the SMTP service, you can run Enable-ExchangeCertificate -Services None -Thumbprint XXX

0 Likes
Reply
lug-ms

‎Dec 17 2020 12:37 PM - edited ‎Dec 17 2020 12:37 PM

‎Dec 17 2020 12:37 PM - edited ‎Dec 17 2020 12:37 PM

Re: Cant set smtp tls certificate for send-connector

@Dominik Hoefling 

 

No I said enabling it for SMTP does NOT work.

I said the command executed withouth any return (which would be okay for a successful run), but it doesn't do anything. It's not enabling the cert for SMTP.

0 Likes
Reply
MarkusOE

‎Dec 22 2022 06:18 AM - edited ‎Jan 08 2023 11:32 PM

‎Dec 22 2022 06:18 AM - edited ‎Jan 08 2023 11:32 PM

Re: Cant set smtp tls certificate for send-connector

Summary:

Export your certificate including private key as .pfx and then re-import it either using Exchange Management Shell or ECP (not: MMC!).

 

Approved solution method:

a) [PS] $bincert = Export-ExchangeCertificate -BinaryEncoded -Thumbprint <Certificate Thumbprint> -Password (Get-Credential).password
b) [PS] [System.IO.File]::WriteAllBytes('C:\users\user\desktop\wildcard23.pfx', $bincert.FileData)
c) Delete the certificate from your computer using MMC

d) [PS] Import-ExchangeCertificate -Server <servername> -FileData ([System.IO.File]::ReadAllBytes('\\localhost\c$\users\user\desktop\wildcard23.pfx')) -Password (Get-Credential).password

0 Likes
Reply
Ahmed_Masoud97

‎Dec 22 2022 06:53 AM

‎Dec 22 2022 06:53 AM

Re: Cant set smtp tls certificate for send-connector

@lug-ms 

Hello, it's Ahmed and I will try to help

 

It looks like you are trying to assign a TLS certificate to a send connector in your Exchange Server 2016, but are encountering an error message that says the specified certificate is not enabled for the SMTP protocol.

 

To enable a certificate for the SMTP protocol, you can use the Enable-ExchangeCertificate cmdlet as you mentioned. However, it appears that the cmdlet is not having the desired effect in your case.

One possible reason for this could be that the certificate you are trying to use is not a valid SMTP certificate. To be used for the SMTP protocol, a certificate must meet certain requirements, such as being issued by a trusted certificate authority (CA) and being associated with the domain that you want to use it for.

 

It's also possible that the certificate has already been enabled for the SMTP protocol, in which case you will not see any success message when running the Enable-ExchangeCertificate cmdlet.

One way to verify that the certificate is enabled for the SMTP protocol is to check the Services property of the certificate. You can do this by running the following command:

 

Get-ExchangeCertificate -Thumbprint *example* | Select-Object Services

 

This should display a list of the services that the certificate is enabled for. If SMTP is included in this list, then the certificate is already enabled for the SMTP protocol, and you should be able to use it for your send connector.

 

If the certificate is not enabled for the SMTP protocol, you can try enabling it again using the Enable-ExchangeCertificate cmdlet, as shown in your example. Make sure to include the -Services SMTP parameter to specify that you want to enable the certificate for the SMTP protocol.

If you continue to have issues after trying these steps, it may be helpful to check the event logs on your Exchange Server for any error messages or other clues that might help to diagnose the problem. You can also try contacting Microsoft support or consulting the Exchange Server documentation for further assistance.

 

Please let me know the result :)

0 Likes
Reply
ic-rohn

‎Dec 29 2022 07:16 AM

‎Dec 29 2022 07:16 AM

Re: Cant set smtp tls certificate for send-connector

Hello Ahmed, 

I have the same issue as @lug-ms 

I have two Exchange Server 2016 (CU23) in Hybrid Mode with O365. After renewing the certificate I cant assign it  to the "Outbound to O365" Connector or any other Send-Connector. I got the same error:

2022-12-29 15_56_13-ex2016-a - Remotedesktopverbindung-1.png

I try to enable the certificate (thumbprint 7AEE6646B5F788B61A2101A928B141C59A1EFC08):

2022-12-29 15_53_48-ex2016-a - Remotedesktopverbindung - __Remote.png

You see, the certificate is not activate for SMTP and trying to assign it to the Outbound-Connector throws the same error. 

Another view to the certificates of the server:

2022-12-29 15_54_40-ex2016-a - Remotedesktopverbindung - __Remote.png

Only the Federation-certificate is activated for SMTP. 

But when I try to activate another certificate for SMTP, I get this warning:

2022-12-29 16_00_25-ex2016-a - Remotedesktopverbindung3.png

Is this a problem of the german version of the exchange-server?

How can I activate then new certificate to a Send-Connector?

 

0 Likes
Reply
RS_168

‎Nov 20 2023 05:00 AM

‎Nov 20 2023 05:00 AM

Re: Cant set smtp tls certificate for send-connector

@ic-rohn 

My problem was that I had installed two certificates with the same subject and the same issuer. The old (possibly expired) certificate must be deleted from Exchange at first.

0 Likes
Reply