[Solved] – Problem loading a certificate to be used for STARTTLS Purpose in Microsoft Exchange 2007

 

Generally this condition occurs if anyone of the following conditions is true:

1. The fully qualified domain name (FQDN) that is specified in the Warning event has been defined on a Receive connector .

2. Send connector on a Microsoft Exchange Server 2007 transport server, and no certificate is installed on the same computer that contains the FQDN in the Subject or Subject Alternative Name fields.

 3. A third-party or custom certificate has been installed on the server and it contains a matching FQDN. However, the certificate is not enabled for the SMTP service.

The warning event indicates that there is a problem loading a certificate to be used for STARTTLS purposes,  here is how to resolve these issues.

1. Open “Exchange Management Shell”.
 
2. Write “get-ExchangeCertificate” and press on “Enter” button.
 
3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
 
4. Review the current certificate that use by the Exchange server and
 
         each certificate function.
 
5. Write “Enable-ExchangeCertificate -Thumbprint ThisIsYourThumbPrintKey -Services “SMTP”
 
       and press on ‘Enter” button. Replace “ThisIsYourThumb…” with the value of -Thumbprint obtained in stage 3.
 
6. Restart the Exchange server.

Now your cooking with SSL Security!!.

Enjoy

Cubert  😎

 

For Creating a Certificate or Certificate Request for TLS check the below article
 
http://technet.microsoft.com/en-us/library/aa998840.aspx

How-to : Setup GoDaddy SSL on Tomcat using a Public Certificate

Hello again,

Today I will be walking you through the process of setting up your Tomcat installation to use a public SSL certificate. I will be using examples from my Ubuntu 11 box but this will work with any linux based Tomcat install.  We should have you up and running in just a few minutes, here is what we are going to be doing.

  • ·     Enable and initialize an empty keystore
  • ·     Generate a certificate signing request (CSR)
  • ·     Add a root certificate authority (CA) to your keystore
  • ·     Import the generated certificate for use in Tomcat

To create and configure a public certificate for your Tomcat installation:

 

  1. Open a SSH Terminal to the server.
  2. In Terminal, navigate to the Tomcat directory by typing the following command:

    cd /var/lib/tomcat/

  3.  Type the following command to generate the keystore:

    sudo keytool -genkey -alias Tomcat -keysize 2048 -keyalg RSA –keystore /var/lib/tomcat/.mykeystore

  4. Fill in the appropriate information when prompted. Type a new keystore password and when the prompt asks for a first and last name, it is requesting the Fully Qualified Domain Name (FDQN). All other information is not as important as the first and last name as this will define the URL the SSL is good for.
  5. Let’s now generate a certificate signing request by typing the following command:

    sudo keytool -certreq -alias tomcat -keystore /var/lib/tomcat/.mykeystore -file godaddy-ssl-cert.req

  6. Copy the entire text from the .req file and paste it in the Cert request window for GoDaddy SSL request form on the Godaddy.com website. Once approved GoDaddy will provide a download zip file that includes your new SSL certificate and the GoDaddy RootCA cert. We will be installing both certs in to the keystore. You will need to copy these certificates up to your Ubuntu (Linux) system.
  7. Import the CA’s root certificate using the following command: (Replace the file location with the location you placed your new certificates from GoDaddy)

    sudo keytool -import -trustcacerts -alias rootCA –file /home/myuser/gd_bundle.crt -keystore /var/lib/tomcat/.mykeystore

  8.  Import your certificate signed by GoDaddy by typing the following command: (Replace myFQDN.crt with the file name and location of the new GoDaddy certificate)

    sudo keytool -import -alias tomcat -keystore /var/lib/tomcat/.mykeystore -trustcacerts -file /home/myuser/myFQDN.crt

  9. Lastly we will  edit the /var/lib/tomcat/conf/server.xml file. Point the “keystoreFile” attribute to the location of the keystore, and include the “keystorePass” containing the password to your keystore.This is the part of the file that you should modify:  <Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”              
                   maxThreads=”150″ scheme=”https” secure=”true”
                  
                  
    clientAuth=”false” sslProtocol=”TLS”             
                   keystoreFile=”/var/lib/tomcat/.mykeystor
             
                   keystorePass=”your keystore password” />

 

The instructions below can be followed to update a certificate, assuming you will be using the same keystore.

How-To clear the Tomcat alias:

 

1.   Open a SSH terminal session to Ubuntu.

2.   Create a backup of the previous alias by typing the following command:

    sudo keytool -export -alias Tomcat -keystore /var/lib/tomcat/.mykeystore -file MyBackup.cer

3.    After a successful backup, type the following command to clear out the Tomcat alias:

    sudo keytool -delete -alias Tomcat -keystore /var/lib/tomcat/.mykeystore


You should now be able to run the commands to create and import a new certificate.


I hope this makes quick work for somone out there..

Enjoy

Cubert