Certificate

I will explain my environment and maybe someone can give me a good answer to my questions.

I'm currently running Exchange 2007/2013 co-existence and slowly migrating my users to over to Exchange 2013.  However, I noticed transport errors in the event log on the Exchange 2007 server

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of exchange01.mydomain.com. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of exchange01.mydomain.com should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

So if I launch mmc and certificates, under Trusted Publishers --> Certificates --> The "Microsoft Corporation: Microsoft Code Signing PCA" has expired as of today.  I see a couple different ways of updating this certificate, which approach would be the best, easiest, etc..

1. Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate

2. New-ExchangeCertificate

Thanks
April 24th, 2015 10:04am

You can simply run new-exchangecertificate and it prompt you to apply SMTP to it. It will create a self-signed cert.

If you require a 3rd party or internal PKI  cert, you will need to create a new CSR , and process the request through your CA or 3rd party provider.

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 10:09am

Thanks for the quick response! Excuse my ignorance but does it matter which Exchange server I run this on?  The event logs only show this error on the Exchange 2007 server and I don't see the same on Exchange 2013?  And would the first option "Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate"  keep the same values and just renew it?

Thanks

April 24th, 2015 10:26am

Thanks for the quick response! Excuse my ignorance but does it matter which Exchange server I run this on?  The event logs only show this error on the Exchange 2007 server and I don't see the same on Exchange 2013?  And would the first option "Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate"  keep the same values and just renew it?

Thanks

Run it on the server that has the expired cert.

If you are renewing the self-signed cert for SMTP, you can simply run new-exchangecertificate

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 10:50am

The cert that has expired might not be relevant to my environment.

If I run Get-ExchangeCertificate on both servers, that thumbprint does not show up on either of the servers.

Thumbprint of the expired cert:

10 8e 2b a2 36 32 62 0c 42 7c 57 0b 6d 9d b5 1a c3 13 87 fe

Exchange 2013

Thumbprint                                Services   Subject
----------                                --------   -------
BD2928A37ACC2629CB7671FC0CE7DEB69FC460CA  ....S..    CN=Microsoft Exchange Server Auth Certificate
15A55EE62794744D897AEC0A7D3374144FF56D2F  ...WS..    CN=Exchange-Server01
D876838DCBF56469B8040DDA32ACE8A00447D44E  .......    CN=WMSvc-Exchange-Server01
92E1C956111C5AB4F8CB7E81BDEB1F293FF7AE01  IP.WS..    CN=mail.mydomain.com.com, O=

Exchange 2007
Thumbprint                                Services   Subject
----------                                --------   -------
92E1C956111C5AB4F8CB7E81BDEB1F293FF7AE01  IP.W.      CN=mail.mydomain.com...
649F206331855B4C8616FA12A9C90333A19EBB12  .....      C=US, S=, L...
B839FF2AFA974971024A8030A92E36E7666ED209  ....S      CN=mail.mydomain.com...
581CFF57EE41C9361F54622C9B071D2760CDB6C4  ....S      CN=mail.mydomain.com...
D756E78C698589B3DD102491158AE4538F118D51  ....S      CN=mail.mydomain.com...
10B35F2712DF99A8FB14262C4AD7335016ED2A1E  .....      C=US, S=Pennsylvania, L...
D7EF42E47BAB45197A1EAA160E61133C47B62014  ....S      CN=Exchange-Server02
1E76A789C0ADE4BA9CBA2E62327A4255806CF37E  ....S      CN=mail.mydomain.com...

Looks like I could probably remove that cert.  My Exchange certs are all under Personal --> Certificates and the one that is expired is under Trusted Publishers --> Certificates

Thanks

April 24th, 2015 11:08am

Hi,

If this expired certificate didn't be listed in the results of Get-ExchangeCertificate cmdlet, please make sure there is another valid and not expired certificate with the namespace exchange01.mydomain.com on it, and this certificate is assigned with SMTP service. To double confirm this, please run:

Get-ExchangeCertificate | fl CertificateDomains,IsSelfSigned,Services,Status,Thumbprint

Then we can remove this expired certificate under Trusted Publishers --> Certificates to have a try. Restart Microsoft Tansport service in Exchange 2007.

Regards,

Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 5:46am

This is my exchange 2007 output

CertificateDomains : {mail.mydomain.com, autodiscover.mydomain.com, legacy.mydomain.com}
IsSelfSigned       : False
Services           : IMAP, POP, IIS
Status             : Valid
Thumbprint         : 92E3C056184C5AB4F8CB9E81TDEC1F293FF7AE01

CertificateDomains : {mail.mydomain.com}
IsSelfSigned       : True
Services           : None
Status             : Valid
Thumbprint         : 649F206341755H4C8616FB17A9C10333A19FBB12

CertificateDomains : {mail.mydomain.com, exchange01, exchange01.mydomain.com, autodiscover.mydomain.com, autodiscover.mydomain.com, exchange01.mydomain.com}
IsSelfSigned       : False
Services           : SMTP
Status             : DateInvalid
Thumbprint         : B839FF2AFA974971024A8030A92E36E7666ED209

CertificateDomains : {mail.mydomain.com, exchange01, autodiscover.mydomain.com, exchange01.mydomain.com}
IsSelfSigned       : False
Services           : SMTP
Status             : DateInvalid
Thumbprint         : 581CFF57EE41C9361F54622C9B071D2760CDB6C4

CertificateDomains : {mail.mydomain.com, exchange01, autodiscover.mydomain.com, exchange01.mydomain.com, exchange01.mydomain.com, autodiscover.mydomain.com}
IsSelfSigned       : False
Services           : SMTP
Status             : DateInvalid
Thumbprint         : D756E78C698589B3DD102491158AE4538F118D51

CertificateDomains : {mail.mydomain.com, exchange01, exchange01.mydomain.com, autodiscover.mydomain.com, autodiscover.mydomain.com}
IsSelfSigned       : True
Services           : None
Status             : Invalid
Thumbprint         : 10B35F2712DF99A8FB14262C4AD7335016ED2A1E

CertificateDomains : {exchange01, exchange01.mydomain.com}
IsSelfSigned       : True
Services           : SMTP
Status             : Invalid
Thumbprint         : D7EF42E47BAB45197A1EAA160E61133C47B62014

CertificateDomains : {mail.mydomain.com}
IsSelfSigned       : False
Services           : SMTP
Status             : Invalid
Thumbprint         : 1E76A789C0ADE4BA9CBA2E62327A4255806CF37E

And this is my Exchange 2013 output


CertificateDomains : {}
IsSelfSigned       : True
Services           : SMTP
Status             : Valid
Thumbprint         : BD4348A37ACG1978CB7671FC0CE7DEB69FC320CA

CertificateDomains : {Exchange02, Exchange02.mydomain.com}
IsSelfSigned       : True
Services           : IIS, SMTP
Status             : Valid
Thumbprint         : 15A55EE62195723D897AEC0A7D33009913FF56D2F

CertificateDomains : {WMSvc-Exchange02}
IsSelfSigned       : True
Services           : None
Status             : Valid
Thumbprint         : D876033DCBF56469C8046BDA32ACE8A00147D44E

CertificateDomains : {mail.mydomain.com, autodiscover.mydomain.com, legacy.mydomain.com}
IsSelfSigned       : False
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Thumbprint         : 92E3C056184C5AB4F8CB9E81TDEC1F293FF7AE01

I have services for SMTP for exchange 2013 but the cert for SMTP services has expired on the Exchange 2007, in a coexistence environment do I need to have a cert with SMTP for the exchange 2007 server?

April 27th, 2015 8:43am

Thanks for you help!

I ran the following 2 commands to fix the transport issue

new-exchangecertificate -domainname exchange01.mydomain.com, Exchange01
enable-exchangecertificate -thumbprint D709CDFCF9BF68EE5C43394EF0046A5CD833D5A6 -services smtp

Free Windows Admin Tool Kit Click here and download it now
April 27th, 2015 3:46pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics