locked
TLS Certificate question - event ID 12016 RRS feed

  • Question

  • Hi,

    We have started to revieve event ID 12016 from MSExchangeTransport in the event log of both our Hub transport servers recently after our externally signed CA expired.  This certificate was used for securing our OWA and windows mobile devices and was created/imported using the IIS snap-in (however I now understand this is not best practise).

    We generated a new certificate (again using IIS) and installed it without any problems, OWA etc started working again, however these error's started to appear.  Upon further investigation running the Get-ExchangeCertificate cmd I can see there are several certificates on the server - two are self signed that have both expired (a long time ago) and there is two other certificates which are 1) the new certificate we bought from an external CA to fix OWA and (a) and 2) the old certificate that expired that we bought from a public CA for our OWA (b). 

    Looking at the services for each certificate, certificate B has I,P and S and the new certificate - A, has I,P and W.  My first thought is that because certificate B had the FQDN of the server as part of it's SAN names and also the NetBIOS names of the server and also the S service enabled that it was using this for TLS and when it expired it could not find another valid certificate with S enabled?  My confusion is how the services could be different for two identical certifciates?

    To resolve the issue I am thinking I could amend the services of certificate A to include SMTP so it has I,P,W and S? Exchange can then use this publicly signed certificate for everything - Web, SMTP, IMAP and POP? and then remove all the ones that have expired and are no longer valid?  Does this make sense?  certificate A has the same SAN names as certificate B

    Thanks in advance

    Brian

    Thursday, August 19, 2010 9:33 AM

Answers

  • If the commercial certificate has all of the names on it, then I would enable that for everything and remove the expired certificates.
    Exchange will allow multiple certificates for the SMTP service, and if you have an expired certificate still enabled, you will get the message in the event viewer. Expired certificates should be removed.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Proposed as answer by Allen Song Monday, August 23, 2010 8:49 AM
    • Marked as answer by Allen Song Friday, August 27, 2010 9:25 AM
    Thursday, August 19, 2010 3:16 PM
  • Hello Brain,

    Yes, I agree with Sembee. Please removed the Expired certificate otherwise you will get Event ID 12016 for the Expired certificate.

     

    For can create a Self sign certificate for SMTP with proper FQDN and enabled it. As far as for TLS OWA request External CA and then enabled that certificate on the server.

     


    EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT
    • Proposed as answer by Allen Song Monday, August 23, 2010 8:49 AM
    • Marked as answer by Allen Song Friday, August 27, 2010 9:25 AM
    Friday, August 20, 2010 1:59 AM

All replies

  • Hi,

    AFAIK To resolve this error, you must use the New-ExchangeCertificate cmdlet to create a new TLS certificate for the fully qualified domain name (FQDN) for the connector on the computer that returned this Error event. For more information, see

    Creating a Certificate or Certificate Request for TLS .

     

    I hope this will help you.

     

    Regards.

    Shafaquat Ali.


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, URL: http://blog.WhatDoUC.net Phone: +923008210320
    Thursday, August 19, 2010 10:31 AM
  • If the commercial certificate has all of the names on it, then I would enable that for everything and remove the expired certificates.
    Exchange will allow multiple certificates for the SMTP service, and if you have an expired certificate still enabled, you will get the message in the event viewer. Expired certificates should be removed.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Proposed as answer by Allen Song Monday, August 23, 2010 8:49 AM
    • Marked as answer by Allen Song Friday, August 27, 2010 9:25 AM
    Thursday, August 19, 2010 3:16 PM
  • Hello Brain,

    Yes, I agree with Sembee. Please removed the Expired certificate otherwise you will get Event ID 12016 for the Expired certificate.

     

    For can create a Self sign certificate for SMTP with proper FQDN and enabled it. As far as for TLS OWA request External CA and then enabled that certificate on the server.

     


    EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT
    • Proposed as answer by Allen Song Monday, August 23, 2010 8:49 AM
    • Marked as answer by Allen Song Friday, August 27, 2010 9:25 AM
    Friday, August 20, 2010 1:59 AM