Exchange 2007 Certificates
Hi All I'm getting 12018 errors on our Exchange Server. We have two certificates. One from Equifax and the other is self signed. the Equifax CertificateDomanis is mail.public_domain_name.com. The self signed CerCertificateDomanis is exchange_server_name.internal_domain_name.com. The self signed cert is the one showing the errors. They both have SMTP services, and the public cert also has IIS service enabled. I'm wondering if I even need the internal cert. Is there a way to tell if the public cert covers all our Outlook client, OWA client, OutlookAnywhere client, authentication? Thanks for any help you can give me on this. Jim
April 26th, 2010 11:49pm

Sure, issue a Get-ExchangeCertificate and see what services are applied to the cert you want to use. http://technet.microsoft.com/en-us/library/bb124950(EXCHG.80).aspx Enable-exchangecertificate to apply services to the cert you choose ( including SMTP!) http://technet.microsoft.com/en-us/library/aa997231(EXCHG.80).aspx
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2010 1:46am

Thanks for the Reply. Do you have any information on the issues in my message? Thanks Jim
April 27th, 2010 4:35pm

Hello Jim Fitze, Checked the Event ID: 12018 and look for FQDN name. As you told that you are getting the error for the Self sign then i will suggest that you can create a new Self Sign certificate for SMTP with proper FQDN and then Enable it. After that we created a Selfsign certificate --> New-ExchangeCertificate DomainName exchange_server_name.internal_domain_name.com -Services SMTP It will fix your issue.MicroSoft Exchange Admin. & Connector EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2010 4:45pm

Thanks PKT I understand that I can replace the certificate. I have 2 issues: 1. Since the Equifax cert has both IIS and SMTP services enabled, do we even need the selfsigned certificate? 2. Is there a way to tell if the public cert covers all our Outlook client, OWA client, OutlookAnywhere client, authentication? Thanks Jim
April 27th, 2010 4:57pm

1. If there are no services assigned to the self-signed certificate, you can remove it. 2. The only way to know whether a certificate is trusted by all clients is to examine all clients to verify that they have all the necessary root and intermediate certificates in their stores. Certain root and intermediate stores are available by default in Windows (different ones in different versions). My Vista OS has a couple Equifax trusted root certificates, and I see four in an XP workstation, but I don't see any in the Windows 7 workstation I built. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "Jim Fitze" wrote in message news:0bb55688-85b0-43ce-8ab2-ef066c4db387... Thanks PKT I understand that I can replace the certificate. I have 2 issues: 1. Since the Equifax cert has both IIS and SMTP services enabled, do we even need the selfsigned certificate? 2. Is there a way to tell if the public cert covers all our Outlook client, OWA client, OutlookAnywhere client, authentication? Thanks Jim Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2010 7:14pm

Thanks for the reply. I think the local Outlook clients may be using the selfsigned certificate. I need a way to verify which cert is being used. Any Ideas? Thanks. Jim
April 27th, 2010 7:29pm

Hold the Control Key down. Right click the Outlook icon in the right tray Select Test E-Mail AUtoConfiguration. Uncheck all tests except "Use Autodiscover" Run the tests. The URLs returned in the Results or XML tab will list the URLS Outlook (Exchange RPC) and and Outlook Anywhere client (Exchange HTTP) are being directed to If you browse via HTTP to those URLS listed, check the certificate on the website and you'll know which cert is being used. (Example: https://domain.com/EWS/Exchange.asmx) is returned for EWS, open that link in a browser and check the cert. etc etc..
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2010 8:03pm

Get-ExchangeCertificate will tell you which certificate is enabled for which service. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "Jim Fitze" wrote in message news:d16ede09-fde4-436c-818e-3a034e138c9c... Thanks for the reply. I think the local Outlook clients may be using the selfsigned certificate. I need a way to verify which cert is being used. Any Ideas? Thanks. Jim Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
April 27th, 2010 8:46pm

Thanks AndyD_ "Autoconfiguration was unable to dertime your settngs!" "Autodiscover.xml FAILED (ox800C8203)" I know the URL for our OWA, and was able to confirm that the client is using the Equifax certificate. I'm not sure about OutlookAnywhere, but it works ok. I guess my main concern is with the local Outlook clients. I can't find where I can see what certificate they use. I just ran the test on one of our domain computers, and it was successful. It's looking like we are using both certificates. I'm going to go ahead and renew the selfsigned one to buy some time and see if I can move everything to the Equifax cert. Thanks for all your help. Jim
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2010 9:13pm

Not sure what you mean that they are using both certificates. Are the clients you testing this from domain-joined machines? Also, test here: https://www.testexchangeconnectivity.com/
April 28th, 2010 12:26am

Yes they are domain members. I'm not sure how this system was originally set up, a year ago. Do most Exchange 2007 domains need two certificates? One is the self signed Microsoft cert that I believe got installed with Exchange. - SMTP Our ex-consultant installed the Equifax certificate for OWA, and Outlook Anywhere. - SMTP, IIS Now a year later, I get to troubleshoot the 12018 events. :) I know there is a combo type certificate, but I'm not sure if ours is that type. Today, I used the thumbprint to create a new certificate with SMTP, and removed the old one. The events have stopped. My goal was to NOT affect the Equifax certificate. I am able to use OWA, and rebooted a local Outlook 2007 computer and connected ok. So it all works, but I'd still like to know if we really need two certs. By the way we have three other certificates with NO services enabled. I can just remove them right? Thanks for your help, the link, and your patience.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 2:09am

The certificate type should be a Web Server certificate. You have two attached to SMTP but you need only one, and either the Equifax or the self-signed one should work, and having both enabled shouldn't be a problem either. The client doesn't decide which certificate to use. Only one can be bound to the Exchange website, and your output shows that only one is. Please post the complete event log entry you're referring to. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "Jim Fitze" wrote in message news:7204c0a9-b803-4378-933e-c986eb932779... Yes they are domain members. I'm not sure how this system was originally set up, a year ago. Do most Exchange 2007 domains need two certificates? One is the self signed Microsoft cert that I believe got installed with Exchange. - SMTP Our ex-consultant installed the Equifax certificate for OWA, and Outlook Anywhere. - SMTP, IIS Now a year later, I get to troubleshoot the 12018 events. :) I know there is a combo type certificate, but I'm not sure if ours is that type. Today, I used the thumbprint to create a new certificate with SMTP, and removed the old one. The events have stopped. My goal was to NOT affect the Equifax certificate. I am able to use OWA, and rebooted a local Outlook 2007 computer and connected ok. So it all works, but I'd still like to know if we really need two certs. By the way we have three other certificates with NO services enabled. I can just remove them right? Thanks for your help, the link, and your patience. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
April 28th, 2010 3:30am

Thanks Ed I ended up renewing the self signed certificate with instructions here: http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html Long ago, I messed up the certificates using the Exchange Commnad Shell. This time, with the above instructions, I was able to insure that my commands affected only the self signed certificate. The events then stopped, as they should. Now, I just need to know if I even need the self signed certificate. Without the Exchange Server counting down to the expiration date, it's not a real pressing issue. I'd just like to clean up the system. As I mentioned, there are still certificates that don't have any services, that I'd like to remove... if safe to do so. Thanks
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2010 5:32pm

It is my experience that if you have a third-party or internal CA certificate and enable it for SMTP, it works as well as the self-signed certificate. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "Jim Fitze" wrote in message news:1407fb50-03bd-499a-913b-8c5ce9bc2ad8... Thanks Ed I ended up renewing the self signed certificate with instructions here: http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html Long ago, I messed up the certificates using the Exchange Commnad Shell. This time, with the above instructions, I was able to insure that my commands affected only the self signed certificate. The events then stopped, as they should. Now, I just need to know if I even need the self signed certificate. Without the Exchange Server counting down to the expiration date, it's not a real pressing issue. I'd just like to clean up the system. As I mentioned, there are still certificates that don't have any services, that I'd like to remove... if safe to do so. Thanks Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
April 29th, 2010 4:31am

You can remove any certs you dont need.
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2010 6:02am

Hi Jim, Have a read through the following article, this explains Exchange 2007 certificates in great detail and should clear up any confusion. http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates.html Regards Rob
October 13th, 2011 3:52am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics