Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  Exchange 2013 Exchange 2016 Exchange 2019 M365,AZURE,INTUNE Microsoft Exchange   Click on the Category button to get more articles regarding that product.

Exchange: Error when you want to change a Receive Connector TLS with a Cert with no Common Name

Posted by admin on 01.02.2023

On an Exchange 2016/2019/M365/Azure you want to change the TLS Certificate of your Receive Connector.

Your SAN (Subject Alternate Name) or Wildcard Certificate has no Common Name [CN] (Empty).

When you try to assign the cert the regular way you get an error. Nothing wrong with the Cert company just the other side (Requester/Converter) as per RFC.

https://www.rfc-editor.org/rfc/rfc2818

RFC 2918 describes the Common Name

  1. If a subjectAltName extension of type dNSName is present, that MUST be used as the identity.
  2. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used.
  3. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead

Below: You can clearly see that Azure/M365 does not solve all 😉 Poor Cloud customer who believe all that sales tells them…..

ERROR:

Cannot process argument transformation on parameter ‘TlsCertificateName’. Cannot convert value “<TLSCertName>” to type “Microsoft.Exchange.Data.SmtpX509Identifier”. Error:

 “”<TLSCertName>” isn’t a valid Certificate Identifier.”

+ CategoryInfo : InvalidData: (:) [Set-ReceiveConnector], ParameterBindin…mationException

+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ReceiveConnector

 

This happens because your Multi Domain/SAN/Wildcard cert was issued without the correct COMMON NAME = CN attribute

Here is a sample shown in Exchange that is correct:

CN= Has a value behind it right side

Here is what the Certificates looks:

Above one with the Common Name, Below one with Common Name missing.

Solution sample for a Receive Connector called “RELAY_SERVER_TLS_PORT_26” on SERVER1

$cert = Get-ExchangeCertificate –Thumbprint 21B5FA4FA9E8D555444A37644437DCE4B9DDC4AACFD

$tlscertificatename = “<i>$($cert.Issuer)<s>$($cert.Subject)”

Set-ReceiveConnector “SERVER1\RELAY_SERVER_TLS_PORT_26” -TlsCertificateName $tlscertificatename

 

EXTERNAL > DIGICERT Common Name for Wildcard:

https://docs.digicert.com/en/certcentral/certificate-tools/certificate-lifecycle-automation-guides/common-name–cn–for-a-wildcard-certificate.html


 Category published:  Exchange 2013 Exchange 2016 Exchange 2019 M365,AZURE,INTUNE Microsoft Exchange   Click on the Category button to get more articles regarding that product.

Related Post

Outlook.exe, delay in receive and sending E-Mail in cached mode how to solve with GPO

M365, Intunes Company Portal 0x87D1041C when UWP assigned to user AND device

SMB over QUIC a OneDrive, Sharepoint replacement, SRV 2025?

Template theme: Newsup by Themeansar (External Link, you will leave www.butsch.ch).