event id 12017 An internal transport certificate will expire soon.
The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12.
I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring.
Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log.
How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system.
Do I just run the following to renew the 18A7 certificate?
"Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP"
Do I need to remove the expiring certificate as well before I enable the new one?
Thanks, Andrew
From the exchange 2007 management console, I executed:
get-ExchangeCertificate | list
Below is a snippet of the output:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz123.xyz.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=xyz-xyz123-CA
NotAfter : 5/19/2012 10:58:54 PM
NotBefore : 5/20/2010 10:58:54 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz123.xyz.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=xyz-xyz123-CA
NotAfter : 5/11/2012 10:48:44 PM
NotBefore : 5/12/2010 10:48:44 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
April 24th, 2012 11:21pm
On Wed, 25 Apr 2012 03:21:07 +0000, exchange 2007 user wrote:
>
>
>The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12.
>
>I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring.
>
>Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log.
>
>How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system.
>
>Do I just run the following to renew the 18A7 certificate?
Both certificates will expire in May of 2012. Using either of them
will produce the same warning. You need a new certificate that expires
in, say, two year's time.
>"Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP"
>
>Do I need to remove the expiring certificate as well before I enable the new one?
No, but it's pointless to keep expired certificates in the server's
certificate store. After you install a new certificate and enable it
for use by Exchange you can remove the expired certs.
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned
: False Issuer : CN=xyz-xyz123-CA NotAfter : 5/19/2012 10:58:54 PM NotBefore : 5/20/2010 10:58:54 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP
>
>Status : Valid Subject : CN=Sites Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned
: False Issuer : CN=xyz-xyz123-CA NotAfter : 5/11/2012 10:48:44 PM NotBefore : 5/12/2010 10:48:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint :
AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 11:31pm
Thanks for your reply Rich.
So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct?
1. Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP
2. Get-ExchangeCertificate | fl (to grab new thumbprint of the newly generated certificate)
3. Enable-ExchangeCertificate Thumbprint <thumprint of new certificate> -Services IMAP POP SMTP
4. Remove-ExchangeCertificate - Thumbprint 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxx - Services IMAP POP SMTP
5. (restart Microsoft Exchange Transport service)
Repeat steps 1 - 5 for second certificate thumbprint AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks in advance,
Andrew
April 25th, 2012 11:38pm
Hi Rich, I had replaced the CA information with xyz and removed a lot of the thumbprint information for security reasons. All other information is unaltered.
Ok, I will create a new certificate and enable them.
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 9:04pm
Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites.
Will that affect the operation of the certificates?
Thanks mucho Rich!
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz-xyz123.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Sites
NotAfter : 4/26/2017 6:28:12 PM
NotBefore : 4/26/2012 6:28:12 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, xyz-xyz123.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Sites
NotAfter : 4/26/2017 6:20:17 PM
NotBefore : 4/26/2012 6:20:17 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 436330ED97B389A4452B4B670DB0EE00
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
April 26th, 2012 9:39pm
On Fri, 27 Apr 2012 01:39:30 +0000, exchange 2007 user wrote:
>Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites.
>
>Will that affect the operation of the certificates?
It shouldn't.
>
>Thanks mucho Rich!
>
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites,
xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:28:12 PM NotBefore : 4/26/2012 6:28:12 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F Services : IMAP, POP, SMTP
Status : Valid Subject : CN=Sites Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites,
xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:20:17 PM NotBefore : 4/26/2012 6:20:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 436330ED97B389A4452B4B670DB0EE00 Services : IMAP, POP, SMTP
Status : Valid Subject : CN=Sites Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 9:46pm
There are no more event id 12017 entries in the application log since the certificate renewals.
Thanks again Rich!
April 29th, 2012 1:37pm