I see this sort of question has been asked before but my situation is different: I am getting the event 12018 with cert thumb E97...EED with expiration date of 3-23-2011 Run Get-ExchangeCertificate –Thumbprint “E97...EED” | New-ExchangeCertificate Which gives me: WARNING: This certificate will not be used for external TLS connections with an FQDN of 'ECMsg.eisenhowerlaw.com' because the CA-signed certificate with thumbprint 'E8803...E9D55' takes precedence. The following connectors match that FQDN: Default ECMSG, Client ECMSG. Confirm Overwrite existing default SMTP certificate, '885...7827' (expires 3/1/2015 11:45:39 AM), with certificate '1DC...9A2B' (expires 3/3/2016 1:18:20 PM)? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Question is why does it want to overwrite "1DC...9A2B" and not the one showing the error "“E97...EED"? "E97...EED" shows IMAP, POP, IIS, SMTP "1DC...9A2B" shows IMAP, POP and SMTP Thanks, Bob

Do both certificates cover the same FQDN/s ? If so, just remove the old one. Multiple SSL certificates are a pain to manage and I try to avoid them where possible. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thanks for your reply. Obviously my primary concern is that if I remove the cert it will break some stuff. Here is a bunch more info. Thanks, Bob The "certificate Domains" are shown on both as {ECMsg, ECMsg.domain.com}. Both are self signed. The Exchange server is not using an edge server. The Send connector does not have "enable domain Security (Mutual Auth TLS checked. The receive connector does have "offer basic Authentication onlay after starting TLS" checked, but "enable domain Security (mutual Auth TLS) is not checked. OWA/activesync is set at the TMG server with a cert from Thawte good through 2012. The traffic goes to Exchange via SSL and the cert on IIS is an internal cert good through 2015.

Hi Osmeum, Could you please use get-exchangecertificate and post the issue here. We could confirm which one could be removed, and use which one as a template to renew one. If we renew one, it would no affact the users usage. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you for your time. Please note that we are running a split domain with domain.com internal as well as domain.com external. My guess is tehy are quite a mess as this domain has been through a domain rename (years ago) and most recently a removal of "Essential Business Server". ECMSG is the Exchange 2007 server and is currently a DC (per EBS which is no longer installed). Thanks Bob "get-exchangecertificate" yields Thumbprint Services Subject ---------- -------- ------- 1DC4740FCDD8A0859B3DF0C0B3929E2B71909A2B IP..S CN=ECMsg D7A91D6B2BABD60BDC5AE89375F489CF5B909023 IP..S CN=ECMsg E8803EC42EDB48AC4DA9ADAD6BFFDBBA1CFE9D55 ..... CN=ECMsg.domain.com 885FE1532BDCBBA9FB0E9153EA9A61801FD87827 IP.WS CN=ECMsg F3314A9C5D49D8418EF0E479FC1249CCC75D3027 ..... CN=HQ.domain.com... E976794FB51E76CA29C35AA015EF0F9D8A31AEED IP..S CN=ECMsg 9E13C8627F43D1B02C539541B00D518A9F9FFCEE ..... CN=WMSvc-ECMSG 1D0295A334B8D3C65A03F928ACAA1EBBD6FDA606 IP..S CN=ECMsg 7A2264A61566EB9C310F70AC8087BB239CABCE22 IP..S CN=ECMsg "Get-ExchangeCertificate -domain "ECMsg.domain.com" | fl" yields AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=George and Fred NotAfter : 12/28/2011 11:24:38 PM NotBefore : 12/28/2010 11:24:38 PM PublicKeySize : 2048 RootCAType : Enterprise SerialNumber : 19C1084800000000001B Services : None Status : Valid Subject : CN=ECMsg.Domain.com Thumbprint : E8803EC42EDB48AC4DA9ADAD6BFFDBBA1CFE9D55 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=ECMsg NotAfter : 3/3/2016 1:18:20 PM NotBefore : 3/3/2011 1:18:20 PM PublicKeySize : 1024 RootCAType : None SerialNumber : 744C048E9713B9814A7ED2DCD7EF1065 Services : IMAP, POP, SMTP Status : Valid Subject : CN=ECMsg Thumbprint : 1DC4740FCDD8A0859B3DF0C0B3929E2B71909A2B AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=ECMsg NotAfter : 2/25/2016 1:55:01 PM NotBefore : 2/25/2011 1:55:01 PM PublicKeySize : 1024 RootCAType : None SerialNumber : 3807088265B1318F46EE7BA7BBC4E79F Services : IMAP, POP, SMTP Status : Valid Subject : CN=ECMsg Thumbprint : D7A91D6B2BABD60BDC5AE89375F489CF5B909023 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=ECMsg NotAfter : 3/1/2015 11:45:39 AM NotBefore : 3/1/2010 11:45:39 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 572CCA699117E3A44410D99E2EAF5077 Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=ECMsg Thumbprint : 885FE1532BDCBBA9FB0E9153EA9A61801FD87827 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=George and Fred NotAfter : 3/23/2011 11:11:09 AM NotBefore : 3/23/2009 11:11:09 AM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 26F34B5E000000000008 Services : IMAP, POP, SMTP Status : Valid Subject : CN=ECMsg Thumbprint : E976794FB51E76CA29C35AA015EF0F9D8A31AEED AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=George and Fred NotAfter : 5/3/2010 2:04:55 PM NotBefore : 5/3/2008 2:04:55 PM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 12374A92000000000008 Services : IMAP, POP, SMTP Status : DateInvalid Subject : CN=ECMsg Thumbprint : 1D0295A334B8D3C65A03F928ACAA1EBBD6FDA606 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=ECMsg NotAfter : 5/3/2009 2:04:39 PM NotBefore : 5/3/2008 2:04:39 PM PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 8953F15300E5FBA04532892E3CB9EFE5 Services : IMAP, POP, SMTP Status : Invalid Subject : CN=ECMsg Thumbprint : 7A2264A61566EB9C310F70AC8087BB239CABCE22

Hi Osm3um, Per below information: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=George and Fred NotAfter : 3/23/2011 11:11:09 AM NotBefore : 3/23/2009 11:11:09 AM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 26F34B5E000000000008 Services : IMAP, POP, SMTP Status : Valid Subject : CN=ECMsg Thumbprint : E976794FB51E76CA29C35AA015EF0F9D8A31AEED The cert is not selfsigned, it was assigned for the service IMAP, pop and smtp. So I would suggest that you could renew one from the CA. Regards! Gavin Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Osm3um, Per below information: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {ECMsg, ECMsg.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=George and Fred NotAfter : 3/23/2011 11:11:09 AM NotBefore : 3/23/2009 11:11:09 AM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 26F34B5E000000000008 Services : IMAP, POP, SMTP Status : Valid Subject : CN=ECMsg Thumbprint : E976794FB51E76CA29C35AA015EF0F9D8A31AEED The cert is not selfsigned, it was assigned for the service IMAP, pop and smtp. So I would suggest that you could renew one from the CA. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I substituted "george and fred" in for the actual verbiage, which is our business name. The only one that I am aware of from an outside source is hq.domain.com from Thawte. F3314A9C5D49D8418EF0E479FC1249CCC75D3027...Please notice that the orginal event does not reference this cert, but a different one expiring on 3-23-2011. My guess is there is a mess because this domain was an "essential business server" network until recently. It sounds as if it might be wise to get a PSS case open? Bob

Hi Bob, If you want to open a ticket, it is a good idea. Hope update from you! Other tips regarding to your issue. I would suggest that you could use get-exchangecertificate |fl to lise all the certificates that you have issued, then confirm which CERTS you do not need, and delete them. Per your description, there are some selfsigned and CA signed cert, per my known, the service would chose the CA-signed CERT than the self-signed cert, and the service would chose one cert to use according to many elements of the CERT, as we known, it is not recommended keep so many CERTs. Next,we could check the which cert was assigned for what service (smtp, tls, imap, pop), we should assign one cert for one service, without any confilict. Next, if the cert was showed expired in event, we could confirm it through thumbprint, we could renew one. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.