TLS Self-Signed Certificates in Mailbox Role
My question is regarding the following error on our MB / HT Exchange 2007 server:Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12018 Description: The STARTTLS certificate will expire soon: subject: gemini.inet.empirenow.com, hours remaining: AEBDDBF48827DBA3ED5A90AA123E61F94FC1992C. Run the New-ExchangeCertificate cmdlet to create a new certificate. I understand one uses a series of PowerShell cmd's to basically renew this cert. Is it quite normal for this cert to require renewal after 1yr? Are you able to renew it with a longer validity period? Or is this a 1yr cert by design?Stephane
January 22nd, 2010 5:30pm
Hello,
The self-signed certificates issued via new-exchangecertificate do indeed expire after 12 months. If you want a longer expiration date and still want to use a self-signed certificate, you can use the "selfssl.exe" tool included with IIS 6 to generate a self-signed certificate that expires whenever you want.
Otherwise, renewal is simple:
get-exchangecertificate -thumbprint thumbprintofcertificatetorenew | new-exchangecertificate
Here is more information about the self-signed certificates in Exchange 2007: http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx
Edit: Also, this is minor, but note that the Mailbox role in Exchange does not use these certificates. They are used by your Transport and Client Access servers.
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2010 9:16pm
That sounds really easy, but if you do this on an edge-server youre edgesync sync dies :(
The EdgeSync credential cn=***,CN=Services,CN=Configuration,CN=*** could not be decrypted by using the certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. The exception is Bad Data.
To resolve this problem, unsubscribe and resubscribe your Edge Transport server.
You will need to perform an delete-edgesubscription new-edgesubscription routine, that makes your server bounce e-mails back to customers with undeliverable replies for about 15 minutes.
It seems there is some improvement done here with servicepacks, as my new certificate is suddenly 5 years valid, but i really would like an option for this to make the expiration go to a more sane number like 100 years, so we dont have to deal with this
anymore for the duration of the exchange installation.
May 17th, 2010 11:27am