none
MSExchange Web Services - Event ID 26 - Exchange certificate expiration question

    Question

  • I have recently receieved the following event:

      CN=exchange2010-MYHOST-CA

    [Serial Number]

      9999999900000000000B

    [Not Before]

      26/01/2012 18:07:28

    [Not After]

      25/01/2013 18:07:28

    [Thumbprint]

      G6G5C899B0B069CA76377A9A99BE5DF8081AB99B

    will expire on 25/01/2013 18:07:28.

    However, upon trying to renew the certificate, the following happens:

    [PS] C:\Windows\system32>Get-ExchangeCertificate -thumbprint "G6G5C899B0B069CA76377A9A99BE5DF8081AB99B" | New-ExchangeCertificate
    WARNING: This certificate will not be used for external TLS connections with an FQDN of 'exchange2010.MYHOST.local'
    because the CA-signed certificate with thumbprint 'G6G5C899B0B069CA76377A9A99BE5DF8081AB99B' takes precedence. The
    following receive/send connectors match that FQDN: Default exchange2010.

    Confirm
    Overwrite the existing default SMTP certificate?

    Current certificate: 'G6G5C899B0B069CA76377A9A99BE5DF8081AB99B' (expires 12/03/2015 14:39:51)
    Replace it with certificate: 'G6G5C899B0B069CA76377A9A99BE5DF8081AB99C' (expires 12/12/2017 13:20:26)
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): n

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    G6G5C899B0B069CA76377A9A99BE5DF8081AB99C ....S.     CN=exchange2010.MYHOST.local

    Any ideas on this?

    Many thanks,

    Andy

     

    Wednesday, December 12, 2012 1:39 PM

Answers

  • Hi Andy,

    I review your question and replies, you said you used a self-signed certificate, however, according to Get-ExchangeCertificate | List

    IsSelfSigned       : False

    And you said This certificate was issued by my SBS2011 Server, using the Domain Controller template

    It seems that this is not a self-signed one.

    Since it may have difference certificate configuration in SBS, I would suggest you seek the solution in the SBS forum:

    http://social.technet.microsoft.com/Forums/en-US/category/sbsserver


    Frank Wang
    TechNet Community Support

    • Marked as answer by Frank.Wang Wednesday, December 19, 2012 1:46 AM
    Monday, December 17, 2012 2:30 AM

All replies

  • Looks like it's a self-signed certificate.

    Do you any any more public certificate apart from this one?

    What all the services being enabled on this certificate?


    Om

    (MCITP,Enterprise Messaging Administrator)

    **My posts are provided “AS IS” without warranty of any kind**

    Wednesday, December 12, 2012 2:47 PM
  • You are correct - it is a self signed certificate.

    I do have a GoDaddy SSL certificate installed for OWA.

    This certificate was issued by my SBS2011 Server, using the Domain Controller template.

    Andy


    • Edited by VBAndyM Wednesday, December 12, 2012 3:05 PM
    Wednesday, December 12, 2012 2:56 PM
  • Is this certificate enabled for only SMTP service?

    Om

    (MCITP,Enterprise Messaging Administrator)

    **My posts are provided “AS IS” without warranty of any kind**

    Wednesday, December 12, 2012 6:23 PM
  • Hi Andy,

    Any updates?

    If this certificate is for SMTP, please enter Y to overwrite the old one.


    Frank Wang
    TechNet Community Support

    Thursday, December 13, 2012 7:32 AM
  • Hi Frank, Om,

    Just performed a Get-ExchangeCertificate | List, which produced the following for the certificate in question:

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {exchange2010.MYHOST.local}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN='exchange2010-MYHOST-CA'
    NotAfter           : 25/01/2013 18:07:28
    NotBefore          : 26/01/2012 18:07:28
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 3012600600000000000B
    Services           : None
    Status             : Valid
    Subject            : CN=exchange2010.MYHOST.local
    Thumbprint         : G6G5C899B0B069CA76377A9A99BE5DF8081AB99B

    I can see that the services associated with it are 'None'. In addition, there were numerous other results that returned 'Services: None' as well.

    How dow I remove the certificate so that I can get rid of the error?

    I know these questions may seem simple to you, but although I use Exchange, I am not an Exchange expert.

    Many thanks,

    Andy


    • Edited by VBAndyM Thursday, December 13, 2012 10:54 AM
    Thursday, December 13, 2012 10:53 AM
  • New-ExchangeCertificate
    Go ahead and generate a new one, press Y if it prompts you.

    Om

    **My posts are provided “AS IS” without warranty of any kind**

    Friday, December 14, 2012 1:35 AM
  • Hi Om,

    I have performed the

    Get-ExchangeCertificate -thumbprint "G6G5C899B0B069CA76377A9A99BE5DF8081AB99B" | New-ExchangeCertificate

    but the expiration date of Jan 25th still remains.

    Andy

    Friday, December 14, 2012 11:44 AM
  • Run only this Command:

    New-ExchangeCertificate


    Om

    **My posts are provided “AS IS” without warranty of any kind**

    Friday, December 14, 2012 5:31 PM
  • Hi Andy,

    I review your question and replies, you said you used a self-signed certificate, however, according to Get-ExchangeCertificate | List

    IsSelfSigned       : False

    And you said This certificate was issued by my SBS2011 Server, using the Domain Controller template

    It seems that this is not a self-signed one.

    Since it may have difference certificate configuration in SBS, I would suggest you seek the solution in the SBS forum:

    http://social.technet.microsoft.com/Forums/en-US/category/sbsserver


    Frank Wang
    TechNet Community Support

    • Marked as answer by Frank.Wang Wednesday, December 19, 2012 1:46 AM
    Monday, December 17, 2012 2:30 AM