none
I have Exchange 2007. Getting TLS certificate is about to expire but I have a third party CA issued cert as well RRS feed

  • Question

  • I have a bunch of certs showing up in Exchange. Many are expired. I recently started getting an event log message 

    The STARTTLS certificate will expire soon: subject: internalservername.domain.com <changed for security reasons>  hours remaining: Blah blah thumbprint. Run the New-ExchangeCertificate cmdlet to create a new certificate

    I found the corresponding cert and it has the internal name of the Exchange server and expires in a month. I found a few others that expired already and are not causing ill effects. This is the last one however for the INTERNAL name.

    We also have a RAPID SSL issued cert for our mail.domain.com external FQDN. This is configured in Exchange to service SMTP (as were all the others). My question is will it just use the RAPID SSL issued cert when the internal one expires or do I need to renew it?

    We are going to Exchange 2010 soon and I really prefer to not touch the existing environment anymore than I have to. 

    When that internal cert expires is mail going to stop flowing or is it a useless cert that does nothing?

    I am not very comfortable with PowerShell so if there is a GUI way to do this, that would be appreciated. If not, I will take my chances.

    Wednesday, June 19, 2013 3:57 PM

Answers

  • I have a bunch of certs showing up in Exchange. Many are expired. I recently started getting an event log message 

    The STARTTLS certificate will expire soon: subject: internalservername.domain.com <changed for security reasons>  hours remaining: Blah blah thumbprint. Run the New-ExchangeCertificate cmdlet to create a new certificate

    I found the corresponding cert and it has the internal name of the Exchange server and expires in a month. I found a few others that expired already and are not causing ill effects. This is the last one however for the INTERNAL name.

    We also have a RAPID SSL issued cert for our mail.domain.com external FQDN. This is configured in Exchange to service SMTP (as were all the others). My question is will it just use the RAPID SSL issued cert when the internal one expires or do I need to renew it?

    We are going to Exchange 2010 soon and I really prefer to not touch the existing environment anymore than I have to. 

    When that internal cert expires is mail going to stop flowing or is it a useless cert that does nothing?

    I am not very comfortable with PowerShell so if there is a GUI way to do this, that would be appreciated. If not, I will take my chances.

    It's the Exchange self-signed cert. This should take care of it.

    Get-ExchangeCertificate -Thumbprint <The Thumbprint in the error message that is about to expire> | New-ExchangeCertificate


    --- Rich Matheisen MCSE&I, Exchange MVP

    Sunday, June 23, 2013 4:10 PM

All replies

  • Output from get-exchangecertificate |FL Edited to remove all identifiable info.

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {exchangeservername, exchangeservername.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=exchangeservername
    NotAfter           : 7/16/2013 3:37:15 PM
    NotBefore          : 7/16/2012 3:37:15 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : Serial Number
    Services           : SMTP
    Status             : Valid
    Subject            : CN=exchangeservername
    Thumbprint         : The Thumbprint in the error message that is about to expire. This is the one

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {FQDN.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
    NotAfter           : 7/18/2014 3:34:48 PM
    NotBefore          : 7/15/2012 4:17:13 PM
    PublicKeySize      : 4096
    RootCAType         : ThirdParty
    SerialNumber       : 
    Services           : SMTP
    Status             : Valid
    Subject            : CN=fqdn.domain.com, OU=Domain Control Validated - R
                         apidSSL(R), OU=See www.rapidssl.com/resources/cps (c)12, O
                         U=GT42144578, SERIALNUMBER=
    Thumbprint         : 

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {exchangeservername, exchangeservername.co.name.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=exchangeservername
    NotAfter           : 6/5/2013 11:44:27 AM
    NotBefore          : 6/5/2012 11:44:27 AM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=exchangeservername
    Thumbprint         : 

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {FQDN}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : C=US, S=name, L=name, O=co.name.domain.com, OU=exchangeserver.co.name.domain.com, CN=FQDN
    NotAfter           : 4/11/2013 1:57:40 PM
    NotBefore          : 4/11/2012 1:37:40 PM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 
    Services           : None
    Status             : Invalid
    Subject            : C=US, S=name, L=name, O=co.name.domain.com, OU=
                         exchangeserver.co.name.domain.com, CN=FQDN
    Thumbprint         : 

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {exchangeservername, exchangeservername.co.name.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=exchangeservername
    NotAfter           : 2/10/2012 7:14:23 PM
    NotBefore          : 2/10/2011 7:14:23 PM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=exchangeservername
    Thumbprint         : 

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {exchangeservername, exchangeservername.co.name.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=exchangeservername
    NotAfter           : 1/13/2010 9:53:24 AM
    NotBefore          : 1/13/2009 9:53:24 AM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=exchangeservername
    Thumbprint         : 

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {exchangeservername, exchangeservername.co.name.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=exchangeservername
    NotAfter           : 1/12/2010 3:44:21 PM
    NotBefore          : 1/12/2009 3:44:21 PM
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=exchangeservername
    Thumbprint         : 

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {fqdn.domain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure 
                         Inc., C=US
    NotAfter           : 4/4/2013 2:19:37 PM
    NotBefore          : 2/4/2008 2:19:37 PM
    PublicKeySize      : 1024
    RootCAType         : ThirdParty
    SerialNumber       : 
    Services           : SMTP
    Status             : DateInvalid
    Subject            : CN=fqdn.domain.com, OU=Domain Control Validated - R
                         apidSSL(R), OU=See www.rapidssl.com/resources/cps (c)08, O
                         U=GT42144578, O=fqdn.domain.com, C=US
    Thumbprint         : 
    Wednesday, June 19, 2013 4:14 PM
  • I have a bunch of certs showing up in Exchange. Many are expired. I recently started getting an event log message 

    The STARTTLS certificate will expire soon: subject: internalservername.domain.com <changed for security reasons>  hours remaining: Blah blah thumbprint. Run the New-ExchangeCertificate cmdlet to create a new certificate

    I found the corresponding cert and it has the internal name of the Exchange server and expires in a month. I found a few others that expired already and are not causing ill effects. This is the last one however for the INTERNAL name.

    We also have a RAPID SSL issued cert for our mail.domain.com external FQDN. This is configured in Exchange to service SMTP (as were all the others). My question is will it just use the RAPID SSL issued cert when the internal one expires or do I need to renew it?

    We are going to Exchange 2010 soon and I really prefer to not touch the existing environment anymore than I have to. 

    When that internal cert expires is mail going to stop flowing or is it a useless cert that does nothing?

    I am not very comfortable with PowerShell so if there is a GUI way to do this, that would be appreciated. If not, I will take my chances.

    It's the Exchange self-signed cert. This should take care of it.

    Get-ExchangeCertificate -Thumbprint <The Thumbprint in the error message that is about to expire> | New-ExchangeCertificate


    --- Rich Matheisen MCSE&I, Exchange MVP

    Sunday, June 23, 2013 4:10 PM
  • If the 3rd party cert (looks like it's from Equifax) is enabled for SMTP (and it looks like it is), would any of the self-signed certificates even come into play?

    I've seen this type of question asked more than once - and don't see the importance of the self-signed certificate (IF you have a 3rd party cert for SMTP - if you don't = different story).


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Sunday, June 23, 2013 8:10 PM
  • If the 3rd party cert (looks like it's from Equifax) is enabled for SMTP (and it looks like it is), would any of the self-signed certificates even come into play?

    I've seen this type of question asked more than once - and don't see the importance of the self-signed certificate (IF you have a 3rd party cert for SMTP - if you don't = different story).


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    It does. IIRC it's the one used by the "virtual" send connector. At the very least it gets rid of the event log stuff. :-)

    --- Rich Matheisen MCSE&I, Exchange MVP

    Tuesday, June 25, 2013 2:06 AM