The STARTTLS Certificate will expire soon
We have a third party cert on four of our hub transport servers that expire in 2015, they show up fine in IIS but i am getting these warnings in the event log. Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12018 Date: 5/11/2009 Time: 9:02:42 AM User: N/A Computer: Server Description: The STARTTLS certificate will expire soon: subject: server.domain.com, hours remaining: XXXXXXXXXXXX37DE4CCC7E9A964C. Run the New-ExchangeCertificate cmdlet to create a new certificate. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
May 11th, 2009 4:14pm
hi,did you try to renew or replace it?please look at ;http://technet.microsoft.com/en-us/library/aa998840.aspxhttp://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=6.5.6940.0&EvtID=12018&EvtSrc=MSExchangeTransport&LCID=1033regards,Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2009 4:27pm
Should i need to as it is still good until 2015
May 11th, 2009 5:27pm
Yes, as Mumin said you can renew self-signed certificates.
Also, if you have third-party certificate, you can remove self-signed certificate since there isn't any requirement of it...
~ Run below command and verify that third-party certificate is attached with IMAP, POP3, SMTP & IIS. And keep a note of self-signed and third-party certificate thumbprint.
Get-ExchangeCertificate | FL ThumbPrint, Services, IsSelfSigned
~ If third-party certificate is not attached with any service, attach it with below cmdlet...
Enable-ExchangeCertificate -thumbprint "third-party cert thump-print" -Services ServiceName
~ Remove self-signed certificaes with below cmdlet...
Remove-ExchangeCertificate -thumbprint "self-signed cert thump-print"Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2009 5:36pm
My third party that is assigned to iis is not showing in Get-ExchangeCertificate
May 11th, 2009 10:54pm
hi,try to import your third party certificate to your IIS.open IIS then go to properties of Default Web Site.On the Directory Security Tab - Secure Communications - Server Certificate and follow the wizard...then run get-exchangecertificate command again.regards,Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2009 11:18pm
That is how i added it initially.
May 12th, 2009 3:35am
LKeneston,
I hope you have SAN certificate with below names.
~ mail.domain.com
~autodiscover.domain.com
~servername.domain.com
~ servername
Then import with Import-ExchangeCertificate cmdlet. I have seen a good article with full to do list which helps you to import and configure Exchange certificate...
Exchange 2007 and SSL Certificates - Take 2
http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2009 7:56am
I am not sure what you mean, my cert is server.domain.com. Thanks,
May 12th, 2009 1:52pm
Exchange 2007 requires all these names in Subject Alternative Names (SAN) certificate to cover all Exchange services under SSL. If your certificate has only one name as you mentioned then other services are covered under Self-Signed certificate and you need to renew that every year...
Exchange Server 2007: Renewing the self-signed certificate
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.htmlAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2009 2:21pm
How would i create the request for a SAN cert from the exchange server?
May 13th, 2009 4:25pm
hi,please follow this;
Step 1: Obtain an SSL certificate
There are three ways to obtain a Secure Sockets Layer (SSL) certificate:
- Option 1: Use the self-signed SSL certificate that Exchange 2007 installs by default. Use of the self-signed certificate is not supported by Outlook Anywhere or the offline address book.
- Option 2: Purchase an SSL certificate from a well-known certification authority (CA).
- Option 3: Obtain an SSL certificate from a Windows PKI certification authority.
If you choose Option 1, skip steps 2 and 3 and go straight to step 4.
If you choose Option 2 or Option 3, go straight to step 2.
Note: For all three options, Exchange ActiveSync will require the device to have a copy of the SSL certificate installed in the Trusted Root Certificate Store.
Step 2: Generate and submit the certificate request
Create a new certificate request for Secure Sockets Layer (SSL) services.
1. Open the Exchange Management Shell.
2. Run the following command, replacing domainname and friendlyname with your domain name and display name: New-ExchangeCertificate -GenerateRequest -domainname mail.contoso.msft,autodiscover.contoso.msft,myserver,myserver.internal.contoso.msft -FriendlyName mail.contoso.msft -privatekeyexportable:$true -path c:\cert_myserver.txt
Note: "DomainName" is used to populate one or more domain names (FQDNs) or server names in the resulting certificate request.
Note: "FriendlyName" is used to specify a display name for the resulting certificate. The display name must be fewer than 64 characters.
3. Submit the request to the certification authority and have the CA generate the certificate.
Step 3: Enable the certificate on the Default Web site
After your certificate has been generated, you must import it and then enable the certificate on the Default Web site.
From the computer where step 2 was run, import the certificate. To import the certificate, do the following:
1. Open the Exchange Management Shell.
2. Run the following command. Import-ExchangeCertificate -path c:\newcert.cer
Note: "c:\newcert.cer" is the location and name of your certificate.
Copy the thumbprint of the certificate, which is the digest of the certificate data, to the clipboard by doing the following:
1. Open the Exchange Management Shell.
2. Run the following command: dir cert:\LocalMachine\My | fl
3. Locate the certificate that you just imported by finding the one that matches FriendlyName from step 2. Then copy the Thumbprint property of that certificate to the Windows Clipboard.
Enable the certificate on the Default Web site by doing the following:
1. Open the Exchange Management Shell.
2. Run the following command: enable-ExchangeCertificate -thumbprint <value copied to the Clipboard> -services "IIS,IMAP,POP"
3. Using the "enable-ExchangeCertificate" cmdlet will update the certificate mapping, replacing the self-signed certificate that is installed by default with Exchange 2007 and configured in IIS, IMAP4, POP3.
Step 4: Require the Client Access server virtual directories to use SSL
By default, the Default Web site in IIS is configured to require SSL for all virtual directories except the offline address book virtual directory. However, you can configure additional virtual directories for each Client Access feature. You must confirm that each virtual directory is configured to require SSL. The Client Access virtual directories are as follows:
- Outlook Web Access 2007 virtual directory: owa
- Outlook Web Access 2003 and WebDAV virtual directories: exchange and public
- Exchange ActiveSync virtual directory: Microsoft-Server-ActiveSync
- Outlook Anywhere virtual directory: Rpc
- Autodiscover virtual directory: Autodiscover
- Exchange Web Services virtual directory: EWS
- Unified Messaging virtual directory: Unified Messaging
- Offline Address Book virtual directory: OAB
For each of the Client Access virtual directories that you will use, open Internet Information Services (IIS) Manager, and follow these steps:
1. Under Default Web site, select the virtual directory that you want, for example, "owa".
2. Right-click the virtual directory, and then click "Properties".
3. Click the "Directory Security" tab.
4. In the "Secure Communications" section, click "Edit".
5. In the "Secure Communications" dialog box, make sure that both the "Require secure channel (SSL)" check box and the "Require 128-bit encryption" check box are selected.
6. Click "OK" to save your changes.
7. Restart the POP3 and IMAP4 services by opening the Services Windows administrative tool, selecting "Microsoft Exchange POP3" or "Microsoft Exchange IMAP4", right-clicking the name of the service, and then clicking "Restart". IIS does not have to be restarted.
Read more about SSL on the Client Access server
- Managing Client Access Security.and you can find this on exchange management console ;open emc - click exchange serverFinalize Deployment - Configure SSL for your Client Access Serverregards,Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2009 4:44pm
You need to use New-ExchangeCertificate to create a SAN request, once it is created you can submit to CA and once it is back you can import it to Exchange...
You can refer below article or digicert certification creation wizard for syntax of New-ExchangeCertificate....
Managing Exchange certificates (Part 3)
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-certificates-part3.html
https://www.digicert.com/easy-csr/exchange2007.htmAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
May 13th, 2009 4:49pm
Awesome, Thanks you guys..
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2009 6:44pm
Hi, I am getting below alert in HUB TRANSPORT ServerThe STARTTLS certificate will expire soon: subject:%1, hours remaining: %2. Run the New-ExchangeCertificate cmdlet to create a new certificateI have installed third-party certificate in CAS server and it expires in 2011 and with no issues its working fine. I dont find the self-signed cert in the hub servers but still it throught the alert in the event logs -Do we need one self signed certificate in the hub servers for normal mailflow on SMTP service ?Regards,Krishnahttp://smtpport25.wordpress.com
June 17th, 2009 3:55pm
Hi,I was not able to find theCertificate with Get-ExchangeCertificate and managed to find server certificates in IIS ManagerNew-ExchangeCertificate -PrivateKeyExportable $TRUE -SubjectName "CN=servername" -DomainName FQDNservername |Enable-ExchangeCertificate -Services SMTPCreated a new Self-Signed certificate and made that as default with the above commandRegards,Krishnahttp://smtpport25.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 5:00pm