none
Event 12018 and STARTTLS

    Question

  • Today we noticed Event ID 12018.

    "The STARTTLS certificate will expire soon: subject: PDXHQEX01.domain.local, hours remaining: E9A3341E4B43D321727470A6F48BA3E77B213BE2. Run the New-ExchangeCertificate cmdlet to create a new certificate."

    I ran the follow cmdlet, get-exchangecertificate | fl, and below is the output.

    It appears there are two certificates against the SMTP service, the third party GoDaddy certificate and then a self-signed certificate. If that's the correct interpretation can I remove the expiring self-signed certificate, if so how?

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.domain.com, www.mail.domain.com, PDXHQEX01,
                         PDXHQEX01.domain.local, autodiscover.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                         thority, OU=http://certificates.godaddy.com/repository, O=
                         "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter           : 10/21/2013 10:55:02 AM
    NotBefore          : 10/21/2009 10:55:02 AM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 04138601D62D88
    Services           : IMAP, POP, IIS, SMTP
    Status             : Invalid
    Subject            : CN=mail.domain.com, OU=Domain Control Validated, O=mai
                         l.domain.com
    Thumbprint         : 7AB58B29CDF01E8C6BA8E4FEE918C3EFE5558DB9

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {PDXHQEX01, PDXHQEX01.domain.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=PDXHQEX01
    NotAfter           : 9/17/2010 3:22:11 PM
    NotBefore          : 9/17/2009 3:22:11 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 21567601461F64B7429A4947576EB22D
    Services           : SMTP
    Status             : Valid
    Subject            : CN=PDXHQEX01
    Thumbprint         : E9A3341E4B43D321727470A6F48BA3E77B213BE2

     

    Wednesday, August 18, 2010 1:58 PM

Answers

  • Hi briwlls97212,

    From the output get-exchangecertificate | fl, the godaddy certificate's RootCAType is unknown.

    Unknown means:  Exchange is unable to determine the type of certificate that is installed.

    It should be Thirdparty.

    Please also check whether GoDaddy Intermediate Certificates is installed or not.

    I would suggest you contact GoDaddy as well.


    Frank Wang
    • Marked as answer by Frank.Wang Wednesday, August 25, 2010 1:07 AM
    Friday, August 20, 2010 8:20 AM

All replies

  • Just disable thumbprint of selfsigned certificate.

    set-exchangecertificate -thumbprint E9A3341E4B43D321727470A6F48BA3E77B213BE2 -status invalid 

     

     For godaddy certificate make it valid.

    -Bpara

    Wednesday, August 18, 2010 2:12 PM
  • Thank you for the quick response, I tried that cmdlet and it's not a recognized cmdlet. I Googled trying to find the right cmdlet and I'm not finding the right answer, suggestions?
    Wednesday, August 18, 2010 2:52 PM
  • Sorry,

       u better try

    Remove-ExchangeCertificate -Thumbprint  E9A3341E4B43D321727470A6F48BA3E77B213BE2

     

    -Bpara

    Wednesday, August 18, 2010 2:57 PM
  • OK, I'll try that, but I'll need to set the status on the other certificate to VALID, thoughts on that?
    Wednesday, August 18, 2010 3:05 PM
  • Enable that one.It will work.

    enable-ExchangeCertificate -Thumbprint 7AB58B29CDF01E8C6BA8E4FEE918C3EFE5558DB9

     

    -Bpara

    Wednesday, August 18, 2010 3:08 PM
  • Is it ok?

     

    -Bpara

    Thursday, August 19, 2010 11:08 AM
  • I'll do this Friday evening, I'll post back.

    Thanks!

    Thursday, August 19, 2010 10:40 PM
  • Hi briwlls97212,

    From the output get-exchangecertificate | fl, the godaddy certificate's RootCAType is unknown.

    Unknown means:  Exchange is unable to determine the type of certificate that is installed.

    It should be Thirdparty.

    Please also check whether GoDaddy Intermediate Certificates is installed or not.

    I would suggest you contact GoDaddy as well.


    Frank Wang
    • Marked as answer by Frank.Wang Wednesday, August 25, 2010 1:07 AM
    Friday, August 20, 2010 8:20 AM
  • Hi briwlls97212,

    Any updates on your issue?


    Frank Wang
    Tuesday, August 24, 2010 2:07 AM