event id 12017 An internal transport certificate will expire soon.
The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12.
I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring.
Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log.
How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system.
Do I just run the following to renew the 18A7 certificate?
"Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP"
Do I need to remove the expiring certificate as well before I enable the new one?
Thanks, Andrew
From the exchange 2007 management console, I executed:
get-ExchangeCertificate | list
Below is a snippet of the output:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz123.xyz.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=xyz-xyz123-CA
NotAfter : 5/19/2012 10:58:54 PM
NotBefore : 5/20/2010 10:58:54 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz123.xyz.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=xyz-xyz123-CA
NotAfter : 5/11/2012 10:48:44 PM
NotBefore : 5/12/2010 10:48:44 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
April 24th, 2012 11:21pm
On Wed, 25 Apr 2012 03:21:07 +0000, exchange 2007 user wrote:
>
>
>The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12.
>
>I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring.
>
>Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log.
>
>How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system.
>
>Do I just run the following to renew the 18A7 certificate?
Both certificates will expire in May of 2012. Using either of them
will produce the same warning. You need a new certificate that expires
in, say, two year's time.
>"Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP"
>
>Do I need to remove the expiring certificate as well before I enable the new one?
No, but it's pointless to keep expired certificates in the server's
certificate store. After you install a new certificate and enable it
for use by Exchange you can remove the expired certs.
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned
: False Issuer : CN=xyz-xyz123-CA NotAfter : 5/19/2012 10:58:54 PM NotBefore : 5/20/2010 10:58:54 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP
>
>Status : Valid Subject : CN=Sites Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned
: False Issuer : CN=xyz-xyz123-CA NotAfter : 5/11/2012 10:48:44 PM NotBefore : 5/12/2010 10:48:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint :
AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 11:31pm
Thanks for your reply Rich.
So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct?
1. Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP
2. Get-ExchangeCertificate | fl (to grab new thumbprint of the newly generated certificate)
3. Enable-ExchangeCertificate Thumbprint <thumprint of new certificate> -Services IMAP POP SMTP
4. Remove-ExchangeCertificate - Thumbprint 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxx - Services IMAP POP SMTP
5. (restart Microsoft Exchange Transport service)
Repeat steps 1 - 5 for second certificate thumbprint AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks in advance,
Andrew
April 25th, 2012 11:38pm
On Thu, 26 Apr 2012 03:38:39 +0000, exchange 2007 user wrote:
>
>
>Thanks for your reply Rich.
>
>So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct?
What CA issued your certificate? The information you provided says:
.. Issuer : CN=xyz-xyz123-CA
Is that YOUR CA? Or is it a commercial CA? If it's your own, just
create a new certificate request and use it to crtate a new cert.
Import that and anctivate it.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 7:47pm
Hi Rich, I had replaced the CA information with xyz and removed a lot of the thumbprint information for security reasons. All other information is unaltered.
Ok, I will create a new certificate and enable them.
April 26th, 2012 9:04pm
Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites.
Will that affect the operation of the certificates?
Thanks mucho Rich!
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz-xyz123.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Sites
NotAfter : 4/26/2017 6:28:12 PM
NotBefore : 4/26/2012 6:28:12 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz-xyz123.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Sites
NotAfter : 4/26/2017 6:20:17 PM
NotBefore : 4/26/2012 6:20:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 436330ED97B389A4452B4B670DB0EE00
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 9:39pm
On Fri, 27 Apr 2012 01:39:30 +0000, exchange 2007 user wrote:
>Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites.
>
>Will that affect the operation of the certificates?
It shouldn't.
>
>Thanks mucho Rich!
>
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites,
xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:28:12 PM NotBefore : 4/26/2012 6:28:12 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F Services : IMAP, POP, SMTP
Status : Valid Subject : CN=Sites Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites,
xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:20:17 PM NotBefore : 4/26/2012 6:20:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 436330ED97B389A4452B4B670DB0EE00 Services : IMAP, POP, SMTP
Status : Valid Subject : CN=Sites Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
April 26th, 2012 9:46pm
There are no more event id 12017 entries in the application log since the certificate renewals.
Thanks again Rich!
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2012 1:37pm