Event 12018 and STARTTLS
Today we noticed Event ID 12018.
"The STARTTLS certificate will expire soon: subject: PDXHQEX01.domain.local, hours remaining: E9A3341E4B43D321727470A6F48BA3E77B213BE2. Run the New-ExchangeCertificate cmdlet to
create a new certificate."
I ran the follow cmdlet, get-exchangecertificate | fl, and below is the output.
It appears there are two certificates against the SMTP service, the third party GoDaddy certificate and then a self-signed certificate. If that's the correct interpretation
can I remove the expiring self-signed certificate, if so how?
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.domain.com, www.mail.domain.com, PDXHQEX01,
PDXHQEX01.domain.local, autodiscover.domain.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
thority, OU=http://certificates.godaddy.com/repository, O=
"GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 10/21/2013 10:55:02 AM
NotBefore : 10/21/2009 10:55:02 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 04138601D62D88
Services : IMAP, POP, IIS, SMTP
Status : Invalid
Subject : CN=mail.domain.com, OU=Domain Control Validated, O=mai
l.domain.com
Thumbprint : 7AB58B29CDF01E8C6BA8E4FEE918C3EFE5558DB9
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {PDXHQEX01, PDXHQEX01.domain.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=PDXHQEX01
NotAfter : 9/17/2010 3:22:11 PM
NotBefore : 9/17/2009 3:22:11 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 21567601461F64B7429A4947576EB22D
Services : SMTP
Status : Valid
Subject : CN=PDXHQEX01
Thumbprint : E9A3341E4B43D321727470A6F48BA3E77B213BE2
August 18th, 2010 4:58pm
Just disable thumbprint of selfsigned certificate.
set-exchangecertificate -thumbprint E9A3341E4B43D321727470A6F48BA3E77B213BE2
-status invalid
For godaddy certificate make it valid.
-Bpara
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 5:12pm
Thank you for the quick response, I tried that cmdlet and it's not a recognized cmdlet. I Googled trying to find the right cmdlet and I'm not finding the right answer, suggestions?
August 18th, 2010 5:52pm
Sorry,
u better try
Remove-ExchangeCertificate -Thumbprint E9A3341E4B43D321727470A6F48BA3E77B213BE2
-Bpara
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 5:57pm
OK, I'll try that, but I'll need to set the status on the other certificate to VALID, thoughts on that?
August 18th, 2010 6:05pm
Enable that one.It will work.
enable-ExchangeCertificate -Thumbprint 7AB58B29CDF01E8C6BA8E4FEE918C3EFE5558DB9
-Bpara
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 6:08pm
Is it ok?
-Bpara
August 19th, 2010 2:08pm
I'll do this Friday evening, I'll post back.
Thanks!
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2010 1:40am
Hi briwlls97212,
From the output get-exchangecertificate | fl, the godaddy certificate's
RootCAType is unknown.
Unknown means: Exchange is unable to determine the type of certificate that is installed.
It should be Thirdparty.
Please also check whether GoDaddy Intermediate Certificates is installed or not.
I would suggest you contact GoDaddy as well.Frank Wang
August 20th, 2010 11:20am
Hi briwlls97212,
Any updates on your issue?Frank Wang
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2010 5:07am