none
event id 12017 An internal transport certificate will expire soon. RRS feed

  • Question

  • The thumbprint certificate referenced in the application error event log begins with 18A7.  It will expire on 5/19/12.

    I included the second certificate (begins with A3BF) as they appear to be duplicates.  There were no event log warnings regarding the second certificate expiring. 

    Few questions:  Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log.

    How would I go about properly renewing the 18A7 certificate?  I don't want to fat finger something break the e-mail system.

    Do I just run the following to renew the 18A7 certificate?

    "Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP"

    Do I need to remove the expiring certificate as well before I enable the new one? 

    Thanks, Andrew

    From the exchange 2007 management console, I executed:

    get-ExchangeCertificate | list

    Below is a snippet of the output:

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {Sites, xyz123.xyz.local}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=xyz-xyz123-CA
    NotAfter           : 5/19/2012 10:58:54 PM
    NotBefore          : 5/20/2010 10:58:54 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx      Services           : IMAP, POP, SMTP 

    Status             : Valid
    Subject            : CN=Sites
    Thumbprint         : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {Sites, xyz123.xyz.local}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=xyz-xyz123-CA
    NotAfter           : 5/11/2012 10:48:44 PM
    NotBefore          : 5/12/2010 10:48:44 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 610Bxxxxxxxxxxxxxxxxxxx            Services           : IMAP, POP, SMTP
    Status             : Valid
    Subject            : CN=Sites
    Thumbprint         : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Wednesday, April 25, 2012 3:21 AM

Answers

  • On Thu, 26 Apr 2012 03:38:39 +0000, exchange 2007 user wrote:
     
    >
    >
    >Thanks for your reply Rich.
    >
    >So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct?
     
    What CA issued your certificate? The information you provided says:
     
    .. Issuer : CN=xyz-xyz123-CA
     
    Is that YOUR CA? Or is it a commercial CA? If it's your own, just
    create a new certificate request and use it to crtate a new cert.
    Import that and anctivate it.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 26, 2012 11:47 PM

All replies

  • On Wed, 25 Apr 2012 03:21:07 +0000, exchange 2007 user wrote:
     
    >
    >
    >The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12.
    >
    >I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring.
    >
    >Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log.
    >
    >How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system.
    >
    >Do I just run the following to renew the 18A7 certificate?
     
    Both certificates will expire in May of 2012. Using either of them
    will produce the same warning. You need a new certificate that expires
    in, say, two year's time.
     
    >"Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP"
    >
    >Do I need to remove the expiring certificate as well before I enable the new one?
     
    No, but it's pointless to keep expired certificates in the server's
    certificate store. After you install a new certificate and enable it
    for use by Exchange you can remove the expired certs.
     
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/19/2012 10:58:54 PM NotBefore : 5/20/2010 10:58:54 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP
    >
    >Status : Valid Subject : CN=Sites Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    >
    >
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/11/2012 10:48:44 PM NotBefore : 5/12/2010 10:48:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, April 25, 2012 3:31 AM
  • Thanks for your reply Rich.

    So in summary, to correct this problem I plan on implement the following commands.  Are the sequence of commands correct?

    1. Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP

    2. Get-ExchangeCertificate | fl  (to grab new thumbprint of the newly generated certificate)

    3. Enable-ExchangeCertificate Thumbprint <thumprint of new certificate> -Services IMAP POP SMTP

    4. Remove-ExchangeCertificate - Thumbprint 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxx - Services IMAP POP SMTP

    5. (restart Microsoft Exchange Transport service)

    Repeat steps 1 - 5 for second certificate thumbprint AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Thanks in advance,

    Andrew

    Thursday, April 26, 2012 3:38 AM
  • On Thu, 26 Apr 2012 03:38:39 +0000, exchange 2007 user wrote:
     
    >
    >
    >Thanks for your reply Rich.
    >
    >So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct?
     
    What CA issued your certificate? The information you provided says:
     
    .. Issuer : CN=xyz-xyz123-CA
     
    Is that YOUR CA? Or is it a commercial CA? If it's your own, just
    create a new certificate request and use it to crtate a new cert.
    Import that and anctivate it.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 26, 2012 11:47 PM
  • Hi Rich, I had replaced the CA information with xyz and removed a lot of the thumbprint information for security reasons.  All other information is unaltered. 

    Ok, I will create a new certificate and enable them.

    Friday, April 27, 2012 1:04 AM
  • Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12.  The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA."  Both of them say CN=Sites. 

    Will that affect the operation of the certificates?

    Thanks mucho Rich!

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {Sites, xyz-xyz123.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=Sites
    NotAfter           : 4/26/2017 6:28:12 PM
    NotBefore          : 4/26/2012 6:28:12 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 1A56F875D7ED17BE4E95D7C89C98653F
    Services           : IMAP, POP, SMTP
    Status             : Valid
    Subject            : CN=Sites
    Thumbprint         : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {Sites, xyz-xyz123.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=Sites
    NotAfter           : 4/26/2017 6:20:17 PM
    NotBefore          : 4/26/2012 6:20:17 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 436330ED97B389A4452B4B670DB0EE00
    Services           : IMAP, POP, SMTP
    Status             : Valid
    Subject            : CN=Sites
    Thumbprint         : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Friday, April 27, 2012 1:39 AM
  • On Fri, 27 Apr 2012 01:39:30 +0000, exchange 2007 user wrote:
     
    >Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites.
    >
    >Will that affect the operation of the certificates?
     
    It shouldn't.
     
     
    >
    >Thanks mucho Rich!
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:28:12 PM NotBefore : 4/26/2012 6:28:12 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:20:17 PM NotBefore : 4/26/2012 6:20:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 436330ED97B389A4452B4B670DB0EE00 Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, April 27, 2012 1:46 AM
  • There are no more event id 12017 entries in the application log since the certificate renewals. 

    Thanks again Rich!

    Sunday, April 29, 2012 5:37 PM