Expired internal transport certificates
both my hub and edge internal transport certs have expired. Microsoft KB says to run
New-ExchangeCertificate on the hub and on the edge and re-subscribe the edge.
My question: Can't I just renew the certs as in the following MS example:
Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate
If not, does it matter if I run new-exchangecertificate on the hub first, then the edge, and finally resubscribe the edge by importing a new xml file?
Also, MS says importing a new xml does not require you to delete the current subscription first. Are the connectors impacted? Will I need to rebuild them?
I'm running Exchange 2007 SP2
Here's Microsoft's solution to the specific error:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12019&EvtSrc=MSExchangeTransport&LCID=1033
Thanks!
January 24th, 2011 4:50pm
Based on another article, renewing is only cloning. I'm expected to see another certificate, and that means the Edge will need to be resubscribed.
Here's the article:
http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx
I'm trying to confirm the necessary steps to renew my self-signed certs on the Edge and Hub.
Thanks!
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2011 10:48am
Hi rudi,
As I know, if the self-signed certificate had already expired, you can only run
New-ExchangeCertificate to create a new self-signed one. In other word, you cannot clone(renew) the expired certificate.
Technet also said: "It is a best practice to renew the self-signed certificates before they expire"
You can run the cmdlet Get-ExchangeCertificate | fl NotAfter to check whether it expired or not.
And resubscibe the Edge sync will not impact connector,etc.
Frank Wang
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
January 25th, 2011 9:56pm
Frank, thanks for your reply.
Here's what happened:
I renewed (cloned) the expired cert. I ended up with two certs. I think renewing or creating will always create a new thumbprint or maybe this happens on expired certs only.
In an article Microsoft uses cloning as a way of handling expired certs.
http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx
I enabled the new one and removed the old one. Not sure if these steps are necessary. Not sure if I had to use
"-services smtp" when enabling, but I did to make sure.
I restarted the ActiveSynch after doing this on the Hub.
Hub returned to a good state.
I did the same to the Edge but required to subscribe the Edge again. The difference between subscribing and re-subscribing is that re-subscribing will overwrite the old one and the send connectors returned to their defaults.
I re-configured the send connectors.
I performed a manual synchronization.
My certs are now valid for 5 years.
Rudi
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2011 11:10am