locked
event 25 / 26 RRS feed

  • Question

  • MY SBS2011 server has been running beautifully for two years but I'm suddenly receiving events 25 and 26 stating that a certificate will expire soon:

    The Exchange certificate [Subject]<o:p></o:p>

    CN=Sites<o:p></o:p>

    [Issuer]<o:p></o:p>

    CN=name ommitted-SBS2011-CA<o:p></o:p>

    [Serial Number]<o:p></o:p>

    611A3774000000000002<o:p></o:p>

    [Not Before]<o:p></o:p>

    3/30/2013 3:17:11 PM<o:p></o:p>

    [Not After]<o:p></o:p>

    3/30/2015 3:17:11 PM<o:p></o:p>

     <o:p></o:p>

    The Exchange certificate [Subject]<o:p></o:p>

    CN=name ommitted

    [Issuer]<o:p></o:p>

    CN=name ommitted-SBS2011-CA<o:p></o:p>

    [Serial Number]<o:p></o:p>

    149A2C07000000000006<o:p></o:p>

    [Not Before]<o:p></o:p>

    4/8/2013 2:29:38 PM<o:p></o:p>

    [Not After]<o:p></o:p>

    4/8/2015 2:29:38 PMHow do I resolve this?<o:p></o:p>



    Tuesday, March 24, 2015 1:11 AM

Answers

  • Hi,

    Yes, remove the old certificates

    The following steps can be used in Exchange Management Shell to manually remove the old certificate.
    Open Exchange Shell with Elevated Permission

    Get-ExchangeCertificate |FL
    Look for old Certificate and thumbprint

    Remove-ExchangeCertificate -Thumbprint ‘OldCertificateThumbprint’


    Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Don Powell Tuesday, March 24, 2015 10:37 PM
    Tuesday, March 24, 2015 1:54 PM
  • Digicert  is fully capable of handling IIS , SMTP , IMAP , POP  request.

    Just need to make sure the following step is done

    Enable-ExchangeCertificate -Thumbprint <THUMBRPINT> -Services "POP, IMAP, IIS, SMTP"


    Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Proposed as answer by Susie Long Monday, March 30, 2015 6:52 AM
    • Marked as answer by Don Powell Monday, March 30, 2015 10:58 AM
    Wednesday, March 25, 2015 3:29 PM

All replies

  • I'm also getting 12018 events stating the following:

    The STARTTLS certificate will expire soon:
    subject: SBS2011.name ommitted, thumbprint:
    471D2D3289B3745E274CE8C2A0C680632480C50D, hours remaining: 374. Run the
    New-ExchangeCertificate cmdlet to create a new certificate.

    Tuesday, March 24, 2015 1:14 AM
  • BTW, when I built this server I purchased a public cert that handles IMAP, POP, IIS, SMTP. can I just delete all of the self signed certs?

    Tuesday, March 24, 2015 1:43 AM
  • Hi,

    Yes, remove the old certificates

    The following steps can be used in Exchange Management Shell to manually remove the old certificate.
    Open Exchange Shell with Elevated Permission

    Get-ExchangeCertificate |FL
    Look for old Certificate and thumbprint

    Remove-ExchangeCertificate -Thumbprint ‘OldCertificateThumbprint’


    Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Don Powell Tuesday, March 24, 2015 10:37 PM
    Tuesday, March 24, 2015 1:54 PM
  • So if I have all of the following certs installed but the public (DigiCert) certificate handles IMAP, POP, IIS, SMTP can I just delete all of the private certs and leave only the public or do I need to remove them only after they have expired?

    [PS]
    C:\Windows\system32>Get-ExchangeCertificate |FL<o:p></o:p>

                        

    AccessRules        :
    {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR


    ule}

    CertificateDomains : {SBS2011.name changed}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer            
    : CN=name changed-SBS2011-CA

    NotAfter           : 1/5/2016
    11:33:18 PM

    NotBefore          : 1/5/2015
    11:33:18 PM

    PublicKeySize      : 2048

    RootCAType         : Registry

    SerialNumber       : 189668EC000000000009

    Services           : None

    Status            
    : Valid

    Subject            :
    CN=SBS2011.
    name changed
    Thumbprint         :
    DA204452F4FD5432CF35B17645D7A08D8DF54602

                        AccessRules       
    :
    {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR


    ule, System.Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {
    name changed, SBS2011.name changed}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer            
    : CN=
    name changed-SBS2011-CA

    NotAfter           : 4/8/2015
    2:41:39 PM

    NotBefore          : 4/8/2013
    2:41:39 PM

    PublicKeySize      : 2048

    RootCAType         : Registry

    SerialNumber       : 14A52B6B000000000007

    Services           : IMAP,
    POP, SMTP

    Status            
    : Valid

    Subject            :
    CN=
    name changed

    Thumbprint         :
    471D2D3289B3745E274CE8C2A0C680632480C50D

                        AccessRules       
    : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR


    ule, System.Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {
    name changed, SBS2011.name changed}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer            
    : CN=
    name changed-SBS2011-CA

    NotAfter           : 4/8/2015
    2:29:38 PM

    NotBefore          : 4/8/2013
    2:29:38 PM

    PublicKeySize      : 2048

    RootCAType         : Registry

    SerialNumber       : 149A2C07000000000006

    Services           : IMAP,
    POP, SMTP

    Status            
    : Valid

    Subject            :
    CN=
    name changed

    Thumbprint         :
    F2505746FC6D58BDFCA37AC2E7AE0824B830439A

                        AccessRules       
    : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR


    ule, System.Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {mresource.int, SBS2011.mresource.int}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer            
    : CN=
    name changed-SBS2011-CA

    NotAfter           : 4/8/2015
    2:24:33 PM

    NotBefore          : 4/8/2013
    2:24:33 PM

    PublicKeySize      : 2048

    RootCAType         : Registry

    SerialNumber       : 1495882A000000000005

    Services           : SMTP

    Status            
    : Valid

    Subject            :
    CN=mresource.int

    Thumbprint         :
    01C956976AC4E468D2F93B6347CDEBDEC6805FEE

                        AccessRules       
    :
    {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR


    ule, System.Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {
    name changed}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer            
    : CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US

    NotAfter           : 6/3/2016
    5:00:00 AM

    NotBefore          : 3/30/2013
    5:00:00 PM

    PublicKeySize      : 2048

    RootCAType         : ThirdParty

    SerialNumber       :
    0EB271E1F6D3FE945B7612A280EF4709

    Services           : IMAP,
    POP, IIS, SMTP

    Status            
    : Valid

    Subject            :
    CN=
    name changed, OU=IT Dept, O="name changed", L=Torrance,
    S=California, C=US

    Thumbprint         :
    47E151048A95AADFE6730EB3F51D84A866C87077

                        AccessRules       
    : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR


    ule, System.Security.AccessControl.CryptoKeyAccessRule}

    CertificateDomains : {Sites, SBS2011.
    name changed}

    HasPrivateKey      : True

    IsSelfSigned       : False

    Issuer            
    : CN=
    name changed-SBS2011-CA

    NotAfter           :
    3/30/2015 3:17:11 PM

    NotBefore          : 3/30/2013
    3:17:11 PM

    PublicKeySize      : 2048

    RootCAType         : Registry

    SerialNumber       : 611A3774000000000002

    Services           : SMTP

    Status            
    : Valid

    Subject            :
    CN=Sites

    Thumbprint         :
    3E626C875970574AA9EB055ED40170474A93CDB4

                        AccessRules       
    :
    {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR


    ule}

    CertificateDomains : {
    name changed-SBS2011-CA}

    HasPrivateKey      : True

    IsSelfSigned       : True

    Issuer            
    : CN=
    name changed-SBS2011-CA

    NotAfter           :
    3/30/2018 3:26:51 PM

    NotBefore          : 3/30/2013
    3:16:52 PM

    PublicKeySize      : 2048

    RootCAType         : Registry

    SerialNumber       :
    628410473B8F9F9F49DCC5BAFF088EF9

    Services           : None

    Status            
    : Valid

    Subject            :
    CN=
    name changed-SBS2011-CA

    Thumbprint         :
    27493C135EF2A1F2A631E76E1AE0A3CBD8292627

    AccessRules       
    :
    {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR

                        
    ule}

    CertificateDomains : {WMSvc-WIN-U0D30BQGL8H}

    HasPrivateKey      : True

    IsSelfSigned       : True

    Issuer            
    : CN=WMSvc-WIN-U0D30BQGL8H

    NotAfter           :
    3/28/2023 10:36:34 AM

    NotBefore          : 3/30/2013
    10:36:34 AM

    PublicKeySize      : 2048

    RootCAType         : Registry

    SerialNumber       :
    7E00888EFE965B9B428B48B07E398549

    Services           : None

    Status            
    : Valid

    Subject            :
    CN=WMSvc-WIN-U0D30BQGL8H

    Thumbprint         :
    C27DE8809F84E4D353BCCAE3E6C7268705DA18B5<o:p></o:p>

     <o:p></o:p>

    [PS]
    C:\Windows\system32><o:p></o:p>


    Tuesday, March 24, 2015 10:43 PM
  • Glad you got it fixed : Ideally Self Assigned Certificate is there to make things useful for those IT Consultants who are not willing to buy CA certs. 

    Read more About :

    http://sbs.seandaniel.com/2008/07/understanding-self-issued-certificates.html

    http://www.hostway.com/support-center/enterprise/Managed-Servers/SSL/Signed-and-Self-signed-Certificates/signed-and-self-signed-certificates.htm

     

    Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, March 25, 2015 4:51 AM
  • Both excellant reads. But I'm still uncertain as to whether I'm safe to remove all of the certs besides the signed cert (listed at the bottom of the image). I see that some of the self signed certs relate to services (IMAP, POP, SMTP) that are already covered by the signed cert at the bottom. Are they required or does the Digicert vert handle everything?

    Wednesday, March 25, 2015 11:15 AM
  • Digicert  is fully capable of handling IIS , SMTP , IMAP , POP  request.

    Just need to make sure the following step is done

    Enable-ExchangeCertificate -Thumbprint <THUMBRPINT> -Services "POP, IMAP, IIS, SMTP"


    Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Proposed as answer by Susie Long Monday, March 30, 2015 6:52 AM
    • Marked as answer by Don Powell Monday, March 30, 2015 10:58 AM
    Wednesday, March 25, 2015 3:29 PM
  • So I finally got up the courage to remove the expired certs. The two certs listed as Services - None deleted just fine. However when I tried to remove the expired cert listed as Services - SMTP it gave the me the following:

    Per below I already have a Digicert SMTP cert (as well as IIS, IMAP, and POP) so I'm not certain if I need two SMTP certs amd, if not, how to remove the expired one.

    Saturday, April 11, 2015 2:17 PM