Cannot remove Exchange 2007 expired SSL Certificate
I have been getting the following error for about a month now, and have not been able to resolve it:Inbound direct trust certificate with thumbprint xxxxxxxxxxxxxxx has expired. Run New-ExchangeCertificate to generate a new direct trust certificate.This cert was added in as a test for IMAP and POP services. I currently have a valid cert added in for IMAP and POP, and everything is working great. However, this expired cert will not go away!If I run: enable-exchangecertificate thumbprint xxxxxxxxx services noneThe command goes through with out any errors, but if you look at the get-exchangecertificate, xxxxxxxxx still shows IP services tied to it.Because the services are still bound the cert you cannot run:Remove-exchangecertificate thumbprint xxxxxxxxxx
Has any one out their seen this issue?
May 25th, 2007 6:04pm
Have you tried using the certificates MMC snap in to remove it from the computer's personal store? I removed the self-signed cert using that method with no problems.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2007 6:28pm
I just deleted it from the certificates MMC. However, the exchange server still sees the cert and I am not unable to disable or delete with in the shell.
May 25th, 2007 6:49pm
you may need to restart the services that are tied to the expired cert, but otherwise i'm stumped. The documentation on it is lacking online http://technet.microsoft.com/en-us/library/bb310795.aspxand it doesn't look like it'll help. Sorry I'm stumped but without a doc the best i could do is tell you what worked for me.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2007 7:09pm
The only services that are tied to the cert is IMAP and POP. Currently both services have been stopped and set to disable. ??
May 25th, 2007 7:18pm
I finally corrected the issue.
Resolution:
During the test phase of exchange 2007 I had demo certificates from our internal CA installed. I was able to remove all but one test cert from the server.
Once the server went in to production, I started getting transport messages telling me that xxxxxx cert had expired. In all reality the cert is valid until 2009.
I found that the test cert was not xxxxxxx but 1xxxxxxxx, which is still valid until next month. Ok, this is just very strange!!! So, for fun I removed the 1xxxxxxxx cert in side the exchange shell and all our problems went away!!!
-Note-
Remove all test certs from Exchange before putting the server into production! The server does not like duplicate certs installed, even if they have different thumbprints. J
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2007 9:22pm
I just started getting the same error.
Inbound direct trust certificate with thumbprint 278A4377D4E1AE212F49D0D3E792A97F77D9E55C has expired. Run New-ExchangeCertificate to generate a new direct trust certificate.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Only now myPOP/imap remoteclients cannot connect to smtp. I have removed any eroneous certs via mmc. I tried the enablecert command tried to create new cert ....nothing
guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 2C6D4A4F95CF196C464E3137B7AAA6818F20C516Version : 3Handle : 474084848Issuer : CN=mail, DC=opsales, DC=clipons, DC=comSubject : CN=exchangesvr1.opsales.clipons.com
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule, System.Se curity.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchangesvr1, exchangesvr1.opsales.clipons.com}CertificateRequest :IisServices : {}IsSelfSigned : TrueKeyIdentifier : 053B317998EAFA1E64EE9029C04C790F01C4D5A8RootCAType : NoneServices : SMTPStatus : ValidPrivateKeyExportable : FalseArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid}FriendlyName : Microsoft ExchangeIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 5/12/2008 2:25:46 PMNotBefore : 5/12/2007 2:25:46 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 3, 40, 48, 130, 2, 16, 160, 3, 2, 1, 2, 2, 16, 86...}SerialNumber : 5630025646F08B934CFD59ADED9F73AFSubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 6EC893C5B64799BC48D03D1103B660A951CE962AVersion : 3Handle : 474091376Issuer : CN=exchangesvr1Subject : CN=exchangesvr1
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {mail.opsales.com}CertificateRequest : MIIElTCCA30CAQAwPzELMAkGA1UEBhMCdXMxFTATBgNVBAoTDG9wc2Fs ZXMgY29y cDEZMBcGA1UEAxMQbWFpbC5vcHNhbGVzLmNvbTCCASIwDQYJKoZIhvcN AQEBBQAD ggEPADCCAQoCggEBAMN4BUJFifVeoPFDnNm/rVAmk++jExtBvLZ1bG6Q oFHw2i7D HWquUIXvciUx9K6SjBoH2uTTIFeB/8XxcMXOZ0u0Xq7OXyCwn/8iLWX2 hVHOn7oS e97f6kMiq3vp60eK2C11d5hthiI2xqV7+X9fWP5yL1w/bzMCzGoDyZDB pR6Q+1TM qKp3US14ZyTrGCbdyZRPURPEuJ4U8S0ykwc5foVPGh2GNKu46vPQL/Qg 2NdWLSE9 Itl5KZF4SCmx0KtzxSoQeiaLzpMvpWwtlIesR47h2r0b1JEL9FQ+Q/M+ ScMEEygb zzyKl6csxOwUocSAx8huBkRCAxX5L5zp/lG+gHECAwEAAaCCAg8wGgYK KwYBBAGC Nw0CAzEMFgo1LjIuMzc5MC4yMFsGCSsGAQQBgjcVFDFOMEwCAQEMIGV4 Y2hhbmdl c3ZyMS5vcHNhbGVzLmNsaXBvbnMuY29tDBVPUFNBTEVTXGFkbWluaXN0 cmF0b3IM DlBvd2VyU2hlbGwuZXhlMIGTBgkqhkiG9w0BCQ4xgYUwgYIwHQYDVR0O BBYEFMzV siokedwS43Xg2dKj/IKoUgFwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwG A1UdEwEB /wQCMAAwLgYDVR0RAQH/BCQwIoITb3BzYWxlcy5jbGlwb25zLmNvbYIL b3BzYWxl cy5jb20wDgYDVR0PAQH/BAQDAgWgMIH9BgorBgEEAYI3DQICMYHuMIHr AgEBHloA TQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUA bAAgAEMA cgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHID gYkAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADANBgkq hkiG9w0B AQUFAAOCAQEAHgJco1ZwlY8kxE38y/JKmFQ5JC5dJE+x5h8bmVkgnuM6 2IgHb9vs NtVk2KRfnz0UgShOYzwnpBv5fLa4oPAuf5byAFG0ErWs58n8xoswaoy8 dXuDmnPO 4xthIKWkoxVaAff73GDyTbdG0J8c3qprOCSOE2yfNVnd+EW8w9lUCo8B d0ivqWBR qJ53jId2auLbgEDlvw3ZkPw8JkmVq5c4b/Hy22PObtPgPS/HY9RXxs0F NGDTlmOS 23vz3lmMuiuJu8L5q0HNPAjCsvbbUPjglEqBe4kBT3ZTHzb2P+ujFs2y /AbXoNMx ba81sPwJn2i+UqNi/fc8jDA8rj6CFbmXPg==BIisServices : {}IsSelfSigned : TrueKeyIdentifier : CF733064D9F365C2FAA3412BD2CCCCFCAB5CDB55RootCAType : UnknownServices : NoneStatus : InvalidPrivateKeyExportable : FalseArchived : FalseExtensions : {}FriendlyName : Microsoft ExchangeIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 5/11/2008 8:17:30 PMNotBefore : 5/12/2007 2:17:30 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 1, 253, 48, 130, 1, 234, 160, 3, 2, 1, 2, 2, 1 6, 5...}SerialNumber : 0538D77A14C3C8B54E775FD6D98D7682SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : FA708F4CDA4090864B16754FF33843C47CEAD7E7Version : 3Handle : 474087408Issuer : CN=mail.opsales.com, O=opsales corp, C=usSubject : CN=mail.opsales.com, O=opsales corp, C=us
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule, System.Se curity.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchangesvr1, exchangesvr1.opsales.clipons.com}CertificateRequest :IisServices : {}IsSelfSigned : TrueKeyIdentifier : ED246FC8D2898185F27ECF4DAEE9922133E5EE87RootCAType : NoneServices : SMTPStatus : ValidPrivateKeyExportable : FalseArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid}FriendlyName : Microsoft ExchangeIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 5/12/2008 2:13:18 PMNotBefore : 5/12/2007 2:13:18 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 3, 40, 48, 130, 2, 16, 160, 3, 2, 1, 2, 2, 16, 133...}SerialNumber : 85D568EB984DA2B14D2929125A822DF0SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 6BACA8C12998927F34D93732BDE48A7376C8347AVersion : 3Handle : 474091232Issuer : CN=exchangesvr1Subject : CN=exchangesvr1
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {mail.opsales.com}CertificateRequest :IisServices : {}IsSelfSigned : FalseKeyIdentifier : DC0DC835FBF874154803471E54FD5BE00FEB25B5RootCAType : EnterpriseServices : IMAP, POPStatus : UnknownPrivateKeyExportable : TrueArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid, System.Security.Cryptography.Oi d, System.Security.Cryptography.Oid, System.Security.Cry ptography.Oid, System.Security.Cryptography.Oid}FriendlyName : mailopsalesIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 5/11/2009 1:08:12 PMNotBefore : 5/12/2007 1:08:12 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 5, 220, 48, 130, 4, 196, 160, 3, 2, 1, 2, 2, 1 0, 56...}SerialNumber : 38BAABFC000000000007SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : CD79E9AD77D055D1708CD83B7765785084E023F5Version : 3Handle : 474234272Issuer : CN=mail, DC=opsales, DC=clipons, DC=comSubject : CN=mail.opsales.com, OU=opsales, O=opsales, L=islandpark , S=ny, C=US
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {opsales.com}CertificateRequest :IisServices : {}IsSelfSigned : FalseKeyIdentifier : CF80422E6472D927ECBE98EFE6B1E2F8A172B31ERootCAType : UnknownServices : NoneStatus : InvalidPrivateKeyExportable : TrueArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid, System.Security.Cryptography.Oi d, System.Security.Cryptography.Oid, System.Security.Cry ptography.Oid, System.Security.Cryptography.Oid}FriendlyName : mailopsalesIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 5/11/2009 12:55:23 PMNotBefore : 5/12/2007 12:55:23 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 5, 215, 48, 130, 4, 191, 160, 3, 2, 1, 2, 2, 1 0, 56...}SerialNumber : 38AEF16C000000000006SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 592CC743085D83C11924C6FB186C49B48D888F36Version : 3Handle : 474084992Issuer : CN=mail, DC=opsales, DC=clipons, DC=comSubject : CN=opsales.com, OU=opsales, O=opsales, L=islandpark, S=n y, C=US
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule, System.Se curity.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchangesvr1, exchangesvr1.opsales.clipons.com}CertificateRequest :IisServices : {IIS://exchangesvr1/W3SVC/1}IsSelfSigned : TrueKeyIdentifier : 1EBB8946999F4269AD633E01D6FE32DE88746711RootCAType : UnknownServices : IIS, SMTPStatus : ValidPrivateKeyExportable : FalseArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid}FriendlyName : Microsoft ExchangeIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 4/4/2008 6:28:28 PMNotBefore : 4/4/2007 6:28:28 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 3, 40, 48, 130, 2, 16, 160, 3, 2, 1, 2, 2, 16, 141...}SerialNumber : 8DFBE64589AACAAC4D30CA29BFF6FE95SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 278A4377D4E1AE212F49D0D3E792A97F77D9E55CVersion : 3Handle : 474084560Issuer : CN=exchangesvr1Subject : CN=exchangesvr1
August 18th, 2007 9:14pm
PS
When I try to remove this cert from with in the shell , it says it is the default cert??
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2007 9:19pm
Hi,
i've latly noticed this error in my server aswell.
I have only two certificated installed, a one that i've created using the internal CA and has all the alternative names, SCP as microsoft suggested (working great)
besides that certificate i still have the self signed cert & the SMTP service still shows on it, although i've enabled the smtp on the certificate i made & have all the rest IIS,POP etc..
from the official microsoft Release notes of exchange 2007:
The event log entry with the source MSExchangeTransport and event ID 1036 is inaccurate The current text of event ID 1036 states "Inbound direct trust certificate with thumbprint %1 has expired. Run New-ExchangeCertificate to generate a new direct trust certificate." The event should state "The default TLS certificate for the server has been superseded but the new certificate has not been enabled for SMTP. Please run Enable-ExchangeCertificate to enable the new certificate for SMTP."
??? i did. also restarted the iis. the message still appeares.
anyone got a clue ?? i don't notice any mail flow errors btw.
Thanks.
September 5th, 2007 9:43pm
I have a similar problem. Yesterday suddenly email stopped coming in from outside the companyand looking at theExchange 2007 server we started getting the following error.
Event Type:ErrorEvent Source:MSExchangeTransportEvent Category:TransportService Event ID:12014Description:Microsoft Exchange couldn't find a certificate that contains the domain name server.domainname.com in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of server.domainname.com. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.
After some digging, I found that our third party cert didn't have SMTP enabled, but that the self signed cert did and it apparently expired. Once I enabled SMTP on our TP cert(Enable-ExchangeCertificate -thumbprint xxxx -Services "SMTP") everything that had been sent during the down time started coming in. It took about twenty minutes, but if I had restarted the Exchange services it probably would have worked sooner.
Once I got things going again Iremoved the self signed certificates (there were two) using the MMC. Now I'm getting the following errors.
Event Type:ErrorEvent Source:MSExchangeTransportEvent Category:TransportService Event ID:12013Description:Microsoft Exchange couldnt find a certificate with a thumbprint of 1096F972720B6A0F9C23F3152CA74D148EA22C78 in the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers will be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 1096F972720B6A0F9C23F3152CA74D148EA22C78 services SMTP to resolve the issue. If the certificate doesnt exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by using New- ExchangeCertificate domainname serverfqdn services SMTP.
Event Type:ErrorEvent Source:MSExchangeTransportEvent Category:TransportService Event ID:12014Description:Microsoft Exchange couldn't find a certificate that contains the domain name server.domainname.com in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of server.domainname.com. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.
Before removing the two self signed certs I exported them to be safe. After I started getting these errors I re-imported both certs, but when I tried to remove the services associated with these certs (Enable-ExchangeCertificate -thumbprint xxxx -services "none"), the Exchange shell gave me error that the private key was missing. Now I can't disable the services associated with the certs and I'm getting this error.
Event Type:WarningEvent Source:MSExchangeTransportEvent Category:SmtpReceive Event ID:1037Description:Inbound direct trust certificate with thumbprint 1096F972720B6A0F9C23F3152CA74D148EA22C78 has expired. Run New-ExchangeCertificate to generate a new direct trust certificate.
Can someone please explain what I should do next to resolve this problem?
Thank you.
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2007 8:18pm
I'm having the same issue, though in our case.. the cert its complaining about was tied to a former CA.. now that CA doesnt exist.. not sure what to do here.
December 14th, 2007 1:33am
In exchange management Shell type " get-exchangecertificate | fl " and post the result
Regards
Gayan
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 8:52am