none
EventID 12018, STARTTLS certificate

    Question

  • hi *,

    In the event log I can see EventID 12018 -> this is a warning with the event description "The STARTTLS certificate will expire soon: subject: HUB1.domain.com, hours remaining: 951BC955C6A83E130AB675EA2CA7FD4E459F5C4B. Run the New-ExchangeCertificate cmdlet to create a new certificate."


    I've exported the list of certificates and it seems that the certificate will expire on 29.10.2010, also impacted services are IMAP, POP, IIS, SMTP.

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.domain.com, autodiscover.domain.com, hub1, hub1.domain.com, sviehub, hub.domain.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=SERVER01, DC=domain, DC=com
    NotAfter : 29.10.2010 11:27:10
    NotBefore : 29.10.2008 10:27:10
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : NNNNNNNNNNNNNNNNNNN
    Services : IMAP, POP, IIS, SMTP
    Status : Valid
    Subject : CN=mail.domain.com, O=Domain AG, C=com
    Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


    I'm running WS2008 & Exchange 2007
    hub1 has HT/CAS role
    mail.domain.com - address for external OWA.

    What to do next as I have no experience with certificates. Googled it but the answers found didn't cleared for me.

    Thanks in advance !
    Wednesday, October 20, 2010 1:46 PM

Answers

  • On Tue, 26 Oct 2010 05:07:09 +0000, Razvan Bontau wrote:
     
    [ snip ]
     
    >The only issue I have is with the first one (one that will expire on 29th). As I said, I have no experience with certificates and this is why I'm asking so manny question.
    >
    >So the solution would be to run
    >
    >Get-ExchangeCertificate -thumbprint ?xxxxxxxxxxxxxxxxxxxxxx? | New-ExchangeCertificate
    >
    >or try and renew from Issuer : CN=SERVER01, DC=domain, DC=com ?
     
     
    I wouldn't worry about renewing the certificate.
     
    As I said in my last reply:
     
    Since you issue your own certificates you should be able simply use
    the new-exchangecertificate cmdlet (with the same parameters you used
    to generate the previous CSR) and get another certificate from your
    CA. Import the certificate, activate it, and then remove the one
    that's about to expire.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Gen Lin Friday, October 29, 2010 3:00 AM
    Tuesday, October 26, 2010 11:54 PM
  • Solved it by renewing the certificate from a CA.

    From this...Issuer : CN=SERVER01, DC=domain, DC=com

    After that all I had to do was to check Services and add missing ones (in my case was IIS, SMTP that were missing).

    thanks for all the support !

    /closed
    • Marked as answer by Razvan Bontau Wednesday, November 17, 2010 2:03 PM
    Wednesday, November 17, 2010 2:02 PM

All replies

  • Hi,

    For complete article kindly visit the link below.

    http://www.exchangeinbox.com/article.aspx?i=114

    Solving the problem is simple. To begin let see the currently installed certificate by running:
    Get-ExchangeCertificate | List

    Exchange Certificate Properties

    Note that here I am taking screen shots from a test machine whose certificate is not about to expire! Some properties worth noticing include:

    NotAfter - shows the certificate expiry date

    Services - shows that the certificate applies to IMAP, POP, IIS and SMTP

    Thumbprint - will use this to identify and make changes to this certificate

    Creating a new certificate is just a matter of running the cmdlet:
    New-ExchangeCertificate

    This will warn you about overwriting the SMTP certificate.

    New Exchange Certificate

    To be honest the first time I ran into this, I thought that was it. After all there were no more event log warnings. However this is not the case. Rerunning Get-ExchangeCertificate we see that the IIS service is still using the old certificate. This means Outlook users will still be knocking at our door.

    Missing IIS Service

    We need to move the IIS service using Enable-ExchangeCertificate. To do this we need the thumbnail value of the newly created certificate. In my case I used this command:
    Enable-ExchangeCertificate -Thumbprint F7A8F1B443A0E7266C72CDE0603302C07B856076 -Service IIS

    With the new certificate in place we may now remove the old certificate using Remove-ExchangeCertificate with the thumbprint value of the old certificate:
    Remove-ExchangeCertificate -Thumbprint 157700393E5D76615E855A773CFA08AB5842DFB0

    Regards.

    Shafaquat Ali.

     

     

     


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, URL: http://blog.WhatDoUC.net Phone: +923008210320
    Wednesday, October 20, 2010 4:09 PM
  • So it does not matter that in my example is "IsSelfSigned : False" while in yours is "True" ?

     

    Also when I'm running "Get-ExchangeCertificate | List" I get other two certificates

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {mail.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=a-sign-SSL-03, OU=a-sign-SSL-03, O=A-Trust, C=com
    NotAfter           : 09.09.2013 09:39:32
    NotBefore          : 09.09.2008 09:39:32
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 0443BC
    Services           : IMAP, POP
    Status             : Unknown
    Subject            : SERIALNUMBER=xxxxxxxxx, CN=mail.domain.com, OU=IT, O=Ro , C=com
    Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {HUB1, UB1.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=HUB1
    NotAfter           : 12.06.2009 10:23:10
    NotBefore          : 12.06.2008 10:23:10
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 80BDA1B6AE11FAA8463DF8A53470CBCE
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=HUB1
    Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Wednesday, October 20, 2010 6:08 PM
  • Are your server sending mail directly out to internet or is it using smarthost?

     

    Check your send connector, the name you have in the send connector needs on the certificate to get rid of this warning


    Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
    Thursday, October 21, 2010 10:15 AM
  • outgoing is Mailboxserver ->  HUB-Transport NLB -> directly to the Internet (DNS resolution)
    Thursday, October 21, 2010 12:38 PM
  • Also another event shown is 12017 - An internal transport certificate will expire soon. 
    Thursday, October 21, 2010 12:42 PM
  • And also the issuer is SERVER01, which is not the hub server.
    Thursday, October 21, 2010 12:56 PM
  • On Wed, 20 Oct 2010 18:08:18 +0000, Razvan Bontau wrote:
     
    >So it does not matter that in my example is "IsSelfSigned : False" while in yours is "True" ?
     
    It means that your certificate was issued by a CA other than the
    machine. In your case, the CA is "A-Trust". But that's not the
    certificate that's expired (although the "status" of that cert is
    "unknown" -- that may be because the CRL is inaccessible). That cert
    isn't being used for SMTP, either. Neither is it a SAN/UC cert --
    there's only one name there.
     
     
    The certificate with the serialnumber
    "80BDA1B6AE11FAA8463DF8A53470CBCE" is the one that needs to be
    renewed. It expired in 2009.
     
    Follow this to renew the certificate:
    http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
     
     
     
    >
    >
    >
    >Also when I'm running "Get-ExchangeCertificate | List" I get other two certificates AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
    >
    >CertificateDomains : {mail.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=a-sign-SSL-03, OU=a-sign-SSL-03, O=A-Trust, C=com NotAfter : 09.09.2013 09:39:32 NotBefore : 09.09.2008 09:39:32 PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 0443BC Services : IMAP, POP Status : Unknown Subject : SERIALNUMBER=xxxxxxxxx, CN=mail.domain.com, OU=IT, O=Ro , C=com Thumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {HUB1, UB1.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=HUB1 NotAfter : 12.06.2009 10:23:10 NotBefore : 12.06.2008 10:23:10 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 80BDA1B6AE11FAA8463DF8A53470CBCE Services : SMTP Status : Invalid Subject : CN=HUB1 Thumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, October 21, 2010 9:39 PM
  • Hi,

    As Rich said, if the "IsSelfSigned" value is true, it means this certificate is issued by Exchange server itself. If the value is false, it means the certificate is issued by a third-party CA (It may be your private CA or a Public CA).

    Since the certificate which will expire is a self sign certificate by exchange server, you can just run the following command to renew it:

    Open Exchange Management shell, type:

    Get-ExchangeCertificate -thumbprint “xxxxxxxxxxxxxxxxxxxxxx” | New-ExchangeCertificate

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Monday, October 25, 2010 8:53 AM
  • First, thanks for all the replies !

    This is the cert the will expire on 29th

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System

    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.domain.com, autodiscover.domain.com, hub1, hub1.domain.com, sviehub, hub.domain.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=SERVER01, DC=domain, DC=com
    NotAfter : 29.10.2010 11:27:10
    NotBefore : 29.10.2008 10:27:10
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : NNNNNNNNNNNNNNNNNNN
    Services : IMAP, POP, IIS, SMTP
    Status : Valid
    Subject : CN=mail.domain.com, O=Domain AG, C=com
    Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

     

     

    If IsSelfSigned value is False, doesn't this means that the certificate is not issued by Exchange server but by a third-party (in this case Issuer : CN=SERVER01, DC=domain, DC=com) ?

     


    Monday, October 25, 2010 12:37 PM
  • If IsSelfSigned value is False, doesn't this means that the certificate  is not issued by Exchange server but by a third-party (in this case  Issuer : CN=SERVER01, DC=domain, DC=com) ?


    You are correct, it's issued either by a private or public CA

    It needs to be renewed before it has expired


    Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
    Monday, October 25, 2010 4:54 PM
  • On Mon, 25 Oct 2010 12:37:36 +0000, Razvan Bontau wrote:
     
    >
    >
    >First, thanks for all the replies !
    >
    >This is the cert the will expire on 29th
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
     
    >CertificateDomains : {mail.domain.com, autodiscover.domain.com, hub1, hub1.domain.com, sviehub, hub.domain.com}
    >HasPrivateKey : True
    >IsSelfSigned : False
    >Issuer : CN=SERVER01, DC=domain, DC=com
    >NotAfter : 29.10.2010 11:27:10
    >NotBefore : 29.10.2008 10:27:10
    >PublicKeySize : 2048
    >RootCAType : Enterprise
    >SerialNumber : NNNNNNNNNNNNNNNNNNN
    >Services : IMAP, POP, IIS, SMTP
    >Status : Valid
    >Subject : CN=mail.domain.com, O=Domain AG, C=com
    >Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
     
    >If IsSelfSigned value is False, doesn't this means that the certificate is not issued by Exchange server but by a third-party (in this case Issuer : CN=SERVER01, DC=domain, DC=com) ?
     
    Yes, it does, but the only 3rd-party certificate you posted earlier
    was this one (which isn't the same one you just posted!:
     
    CertificateDomains : {mail.domain.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=a-sign-SSL-03, OU=a-sign-SSL-03, O=A-Trust,
    C=com
    NotAfter : 09.09.2013 09:39:32
    NotBefore : 09.09.2008 09:39:32
    PublicKeySize : 2048
    RootCAType : ThirdParty
    SerialNumber : 0443BC
    Services : IMAP, POP
    Status : Unknown
    Subject : SERIALNUMBER=xxxxxxxxx, CN=mail.domain.com,
    OU=IT, O=Ro , C=com
    Thumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    AccessRules :
    {System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
    ssControl.CryptoKeyAccessRule}
     
    That certificate doesn't expire until 2013.
     
     
    Since you issue your own certificates you should be able simply use
    the new-exchangecertificate cmdlet (with the same parameters you used
    to generate the previous CSR) and get another certificate from your
    CA. Import the certificate, actvate it, and then remove the one that's
    about to expire.
     
     
     
     
    The 2nd certificate you posted was this one (which is already
    expired):
     
    CertificateDomains : {HUB1, UB1.domain.com}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=HUB1
    NotAfter : 12.06.2009 10:23:10
    NotBefore : 12.06.2008 10:23:10
    PublicKeySize : 2048
    RootCAType : Unknown
    SerialNumber : 80BDA1B6AE11FAA8463DF8A53470CBCE
    Services : SMTP
    Status : Invalid
    Subject : CN=HUB1
    Thumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, October 25, 2010 7:14 PM
  • When I'm running "Get-ExchangeCertificate | List" I get the bellow list of certificates:

     

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule , System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.domain.com, autodiscover.domain.com, hub1, hub1.domain.com, sviehub, hub.domain.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=SERVER01, DC=domain, DC=com
    NotAfter : 29.10.2010 11:27:10
    NotBefore : 29.10.2008 10:27:10
    PublicKeySize : 2048
    RootCAType : Enterprise
    SerialNumber : NNNNNNNNNNNNNNNNNNN
    Services : IMAP, POP, IIS, SMTP
    Status : Valid
    Subject : CN=mail.domain.com, O=Domain AG, C=com
    Thumbprint : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

     

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {mail.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=a-sign-SSL-03, OU=a-sign-SSL-03, O=A-Trust, C=com
    NotAfter           : 09.09.2013 09:39:32
    NotBefore          : 09.09.2008 09:39:32
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 0443BC
    Services           : IMAP, POP
    Status             : Unknown
    Subject            : SERIALNUMBER=xxxxxxxxx, CN=mail.domain.com, OU=IT, O=Ro , C=com
    Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {HUB1, UB1.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=HUB1
    NotAfter           : 12.06.2009 10:23:10
    NotBefore          : 12.06.2008 10:23:10
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 80BDA1B6AE11FAA8463DF8A53470CBCE
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=HUB1
    Thumbprint         : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    The only issue I have is with the first one (one that will expire on 29th). As I said, I have no experience with certificates and this is why I'm asking so manny question.

    So the solution would be to run

    Get-ExchangeCertificate -thumbprint “xxxxxxxxxxxxxxxxxxxxxx” | New-ExchangeCertificate

    or try and renew from Issuer : CN=SERVER01, DC=domain, DC=com ?

     

    Thanks !

     

     


    Tuesday, October 26, 2010 5:07 AM
  • On Tue, 26 Oct 2010 05:07:09 +0000, Razvan Bontau wrote:
     
    [ snip ]
     
    >The only issue I have is with the first one (one that will expire on 29th). As I said, I have no experience with certificates and this is why I'm asking so manny question.
    >
    >So the solution would be to run
    >
    >Get-ExchangeCertificate -thumbprint ?xxxxxxxxxxxxxxxxxxxxxx? | New-ExchangeCertificate
    >
    >or try and renew from Issuer : CN=SERVER01, DC=domain, DC=com ?
     
     
    I wouldn't worry about renewing the certificate.
     
    As I said in my last reply:
     
    Since you issue your own certificates you should be able simply use
    the new-exchangecertificate cmdlet (with the same parameters you used
    to generate the previous CSR) and get another certificate from your
    CA. Import the certificate, activate it, and then remove the one
    that's about to expire.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Gen Lin Friday, October 29, 2010 3:00 AM
    Tuesday, October 26, 2010 11:54 PM
  • Solved it by renewing the certificate from a CA.

    From this...Issuer : CN=SERVER01, DC=domain, DC=com

    After that all I had to do was to check Services and add missing ones (in my case was IIS, SMTP that were missing).

    thanks for all the support !

    /closed
    • Marked as answer by Razvan Bontau Wednesday, November 17, 2010 2:03 PM
    Wednesday, November 17, 2010 2:02 PM