-Windows Server 2008 x64 w SP2 -Exchange 2007 Standard Version 8.1 (Build 240.6) -Single Server setup First, there is a lot of detail out there about this event and I have looked at it but do not fully understand what I should do in this particular situation. Let me give you a picture of what's going in this case and what I'm unsure about. I have repeated events in the application log that states: "There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of ZOO.hq.mydomain.com. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of ZOO.hq.mydomain.com should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task." The FQDN above is internal. I have a SAN cert of external names and have, on the pertinent services (EWS, OAB, CAS), set internal and external URLs to the subjects on the cert. From what I can tell, the only area where this FQDN shows up is in the "Default ZOO" Receive Connector. It may exist elsewhere that I'm not seeing. If I try to change the FQDN to the primary subject name which is listed in my SAN cert, I get the following error: "When the AuthMechanism paramteter on a Receive connector is set to the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server, the NetBIOS name of the transport server, or $null." ...so I seem to be forced to keep it as the internal FQDN of the server. I recently renewed that SAN cert and I figured everything was working. I created a new CSR, acquired the cert, installed and enabled it, and removed the old one. I'm thinking the timing is just a red herring. These events date back prior to the renewal. When I list the Exchange certs from EMS using "Get-ExchangeCertificate | fl *" the certificate with Subject matching the above FQDN shows a "NotAfter" date of 7/11/2011 so it's not expired. The only thing listed next to "Services" is UM. So at this point, it looks to me like the certificate does exist on the server (it's bound to UM, which we're not using anyway at this point) and that it's not expired. So what's next to get rid of this event? Thanks a lot in advance.

How did you renew the certificate? Through IIS? If so then Exchange doesn't know about the new certificate. You need to tell Exchange to use that certificate for SMTP. You can either do that with PowerShell using the Enable-ExchangeCertificate command or by exporting the cer file from the certificate then importing it using the import-exchangecertificate command. Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|

Thank you for your reply. I'm pretty sure I did everything correct, access to the Exchange server (other than the event error in question) for users is working fine with the new certificate. Here's the process I executed:1. ran new-exchangecertificate to get a new CSR2. grabbed the thumbprint for the existing cert that was about to expire3. ran import-exchangecertificate to import the newly renewed certificate from vendor4. ran enable-exchangecertificate for the cert in step 3 by its thumbprint5. removed the cert from step 2 via its thumbprint.Did I miss anything?

. You need to tell Exchange to use that certificate for SMTP Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|

I'm sorry it wasn't made clearer, but it is. The following is a portion of the command used:Enable-ExchangeCertificate -services SMTP,IIS ...

Check info: 1. When the issue starts to happen? Before your recent SAN certificate renewal? 2. Quote: The FQDN above is internal So, ZOO.hq.mydomain.com is the internal FQDN of the exchange, right? 3. Quote: I have a SAN cert of external names and have, on the pertinent services (EWS, OAB, CAS), set internal and external URLs to the subjects on the cert What about the internal FQDN of the exchange (ZOO.hq.mydomain.com)? Does it exist in the Subject Alternative Name field? Creating a Certificate or Certificate Request for TLS 4. Quote: I recently renewed that SAN cert and I figured everything was working events date back prior to the renewal Do you mean that event 12016 come back after the renewal? 5. Quote: When I list the Exchange certs from EMS How many certificates in there, two? One is from public CA which you have renewed, and another is a self-signed certificate, right? 6. Could you post the output of the cmdlet Get-ExchangeCertificate | fl at here? It would be easier to understand. You can change the sensitive parts to other names, like ZOO.hq.mydomain.com ~~~~~~~~~~~~~~ James Luo TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~

Thanks for your continued support.1.The events seem to indicate the issue started before the SAN certificate renewal but technically, I only noticed it after.2.Right, zoo.hq.mydomain.com is internal.3.The internal FQDN is NOT one of the names listed on the cert.4.It's not so much that they come back as they never seemed to have stopped. As mentioned in #1, the events predate the renewal and continued after so the renewal didn't seem to alerter the occurrence of the event.5.There are 7 certs total. See below6.See below. AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {ZOO.hq.mydomain.com}CertificateRequest : IisServices : {}IsSelfSigned : TrueKeyIdentifier : 430E2A9C74B77016940DB0A552CB795CC41C9B8DRootCAType : RegistryServices : UMStatus : ValidPrivateKeyExportable : FalseArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid}FriendlyName : Microsoft ExchangeIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 7/11/2011 7:03:51 AMNotBefore : 7/11/2009 7:03:51 AMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 3, 21, 48, 130, 1, 253, 160, 3, 2, 1, 2, 2, 16 , 10...}SerialNumber : 0A168D0CCFF760944E679A959316A1C5SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : E0E56157A51549E316396F0D158FC79DD445B812Version : 3Handle : 467022864Issuer : CN=ZOO.hq.mydomain.comSubject : CN=ZOO.hq.mydomain.com AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule, System.Se curity.AccessControl.CryptoKeyAccessRule}CertificateDomains : {zoo.mydomain.com, www.zoo.mydomain.com, intranet.mydomain.com , webmail.mydomain.com, autodiscover.mydomain.com}CertificateRequest : IisServices : {IIS://ZOO/W3SVC/1, IIS://ZOO/W3SVC/258090620}IsSelfSigned : FalseKeyIdentifier : 37055CDED5E0DC0F6A1ED56468F13CD5F85DBE5ERootCAType : ThirdPartyServices : IMAP, POP, IIS, SMTPStatus : ValidPrivateKeyExportable : TrueArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid, System.Security.Cryptography.Oi d, System.Security.Cryptography.Oid, System.Security.Cry ptography.Oid, System.Security.Cryptography.Oid, System. Security.Cryptography.Oid}FriendlyName : mydomainIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 8/27/2010 5:36:19 PMNotBefore : 7/7/2009 3:34:14 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 5, 91, 48, 130, 4, 67, 160, 3, 2, 1, 2, 2, 7, 4...}SerialNumber : 040112100CA095SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : F9FF2331AF235BAE63C6F456097EE8AC04D42F44Version : 3Handle : 467024272Issuer : SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http://certificates.starfieldtech.com/rep ository, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=USSubject : CN=zoo.mydomain.com, OU=Domain Control Validated, O=zoo.ak endi.com AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {zoo.mydomain.com, intranet.mydomain.com, webmail.mydomain.com , autodiscover.mydomain.com}CertificateRequest : BlahBlahBlahIisServices : {}IsSelfSigned : TrueKeyIdentifier : 4B84DF4C4492284CAF5BEF7217DC397A1DF6CDF6RootCAType : NoneServices : NoneStatus : ValidPrivateKeyExportable : TrueArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid, System.Security.Cryptography.Oi d}FriendlyName : Microsoft ExchangeIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 8/25/2009 7:05:35 PMNotBefore : 8/25/2008 6:45:35 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 4, 4, 48, 130, 2, 236, 160, 3, 2, 1, 2, 2, 16, 14...}SerialNumber : 0E8FBEC2555704B64E2D5C495D65ED62SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 58A98798F0540BE8AFB90C689C670465B8BAB675Version : 3Handle : 488213104Issuer : C=CA, L=Toronto, S=Ontario, O=mydomain, CN=zoo.mydomain.comSubject : C=CA, L=Toronto, S=Ontario, O=mydomain, CN=zoo.mydomain.com AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {zoo.mydomain.com, autodiscover.mydomain.com, intranet.mydom ain.com, webmail.mydomain.com}CertificateRequest : BlahBlahBlah IisServices : {}IsSelfSigned : TrueKeyIdentifier : 3D4C1E9432D3C5D702CE82D6967454354A6E0F0ERootCAType : NoneServices : NoneStatus : ValidPrivateKeyExportable : TrueArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid, System.Security.Cryptography.Oi d}FriendlyName : mydomainIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 8/22/2009 5:45:28 PMNotBefore : 8/22/2008 5:25:28 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 2, 175, 48, 130, 2, 24, 160, 3, 2, 1, 2, 2, 16 , 115...}SerialNumber : 7309FB783C2A87BF48D489330E9D2BF4SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 87CDDD975C8ED7ABF9C0E9BE908BC54C1013AA7AVersion : 3Handle : 488214512Issuer : C=CA, O=mydomain, CN=zoo.mydomain.comSubject : C=CA, O=mydomain, CN=zoo.mydomain.com AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {zoo.mydomain.com, autodiscover.mydomain.com, intranet.mydomai n.com, webmail.mydomain.com}CertificateRequest : BlahBlahBlah IisServices : {}IsSelfSigned : TrueKeyIdentifier : CBAF9F14FC7DC0311860446A061DF29ABDB8E9F7RootCAType : NoneServices : NoneStatus : ValidPrivateKeyExportable : TrueArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid, System.Security.Cryptography.Oi d}FriendlyName : mydomainIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 8/22/2009 4:43:29 PMNotBefore : 8/22/2008 4:23:29 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 2, 175, 48, 130, 2, 24, 160, 3, 2, 1, 2, 2, 16 , 56...}SerialNumber : 389A655AAC33ABBB493A0F461A4B80C5SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 7236FD89F8F4A666B5342FFEC9B59BB8F6582635Version : 3Handle : 488214256Issuer : C=CA, O=mydomain, CN=zoo.mydomain.comSubject : C=CA, O=mydomain, CN=zoo.mydomain.com AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule, System.Se curity.AccessControl.CryptoKeyAccessRule, System.Securit y.AccessControl.CryptoKeyAccessRule}CertificateDomains : {ZOO, ZOO.hq.mydomain.com}CertificateRequest : IisServices : {}IsSelfSigned : TrueKeyIdentifier : DFD6C07780C4BEF611DD67F8294B0924C6E864CARootCAType : RegistryServices : UM, SMTPStatus : DateInvalidPrivateKeyExportable : FalseArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid, System.Security.Cryptography.Oid, System.Se curity.Cryptography.Oid}FriendlyName : Microsoft ExchangeIssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 6/13/2009 3:35:55 PMNotBefore : 6/13/2008 3:35:55 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 2, 254, 48, 130, 1, 230, 160, 3, 2, 1, 2, 2, 1 6, 242...}SerialNumber : F247FA1029A9DB864144A664ACD1161DSubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : D7FCF239E2F23D408F8C3676FDD1BFF447062E14Version : 3Handle : 467024912Issuer : CN=ZOOSubject : CN=ZOO AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst em.Security.AccessControl.CryptoKeyAccessRule, System.Se curity.AccessControl.CryptoKeyAccessRule}CertificateDomains : {WMSvc-ZOO}CertificateRequest : IisServices : {}IsSelfSigned : TrueKeyIdentifier : 598F2E95C3AE6EA9C20DE80F3E06D95D7FDF4C66RootCAType : RegistryServices : NoneStatus : ValidPrivateKeyExportable : TrueArchived : FalseExtensions : {System.Security.Cryptography.Oid, System.Security.Crypt ography.Oid}FriendlyName : IssuerName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameNotAfter : 6/10/2018 3:35:12 PMNotBefore : 6/12/2008 3:35:12 PMHasPrivateKey : TruePrivateKey : System.Security.Cryptography.RSACryptoServiceProviderPublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 2, 217, 48, 130, 1, 193, 160, 3, 2, 1, 2, 2, 1 6, 186...}SerialNumber : BAB1841F906401BF44A352E79C427601SubjectName : System.Security.Cryptography.X509Certificates.X500Distin guishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : 44AA98261C608F304BE56B1967F595267803EE24Version : 3Handle : 467024016Issuer : CN=WMSvc-ZOOSubject : CN=WMSvc-ZOO

The certificate selection process retrieves the fully qualified domain name (FQDN) value from the Receive connector configuration. If the FQDN value on the Receive connector is null, the servers physical FQDN is retrieved The certificate is checked to see whether it has expired. The Valid to field in the certificate properties is compared to the current date and time. If the certificate has not expired, STARTTLS is advertised. If the certificate has expired, Event ID 12016 is logged in the Application log, but STARTTLS is still advertised ----------Refer to <Selection of Inbound STARTTLS Certificates> I assume that the FQDN of the receive connector on your exchange server is ZOO.hq.mydomain.com or null, yet the only one that contains this name and enabled SMTP service is (And it has expired): Thumbprint : D7FCF239E2F23D408F8C3676FDD1BFF447062E14 CertificateDomains : {ZOO, ZOO.hq.mydomain.com} Services : UM, SMTP NotAfter : 6/13/2009 3:35:55 PM NotBefore : 6/13/2008 3:35:55 PM I suggest you to add the ZOO.hq.mydomain.com into the new SAN certificate. Please check the Best Practices for Domain Names for Internet SMTP section in the article that I posted above Thumbprint : F9FF2331AF235BAE63C6F456097EE8AC04D42F44 Services : IMAP, POP, IIS, SMTP Notes: Please remove those expired/unused certificates

Any update for this thread?

I just haven't had a chance to address your last post yet. If I'm clear, you want me to do the following:- add "zoo.hq.mydomian.com" to the SAN certificate used with the receive connector; and- remove any and all expired or unused certificates. I'm not 100% sure how to best determine if a cert is used or not, but removing expired certs shouldn't be a problem.Question: Is there a way I could use a self-signed cert for zoo.hq.mydomian.com and not alter the SAN certificate?Thanks.Kevin

Per my knowledge, the self-sign certificate will work as well. We need to renew the self-signed certificate above which contains the name ZOO.hq.mydomain.com, in order to extend the valid time Understanding the Self-Signed Certificate in Exchange 2007 Renewing the self-signed certificate

Okay, I'm stuck again. I first tried to renew the expired certificate with the following command: Get-ExchangeCertificate -thumbprint "D7FCF239E2F23D408F8C3676FDD1BFF447062E14" | New-ExchangeCertificate and get the outptut, which I responded no to: Confirm Overwrite existing default SMTP certificate, 'F9FF2331AF235BAE63C6F456097EE8AC04D42F44' (expires 8/27/2010 5:36:19 PM), with certificate '94838D37FAD3805A627CD575F2DADD3B7CDCA616' (expires 8/20/2010 9:17:07 PM)? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): I was going to backup and then remove the expired cert with thumbprint D7FCF239E2F23D408F8C3676FDD1BFF447062E14. When I use the following command, I get "Export-ExchangeCertificate : Cannot gain access to the private key or it is not exportable, and as a result cannot export as PKCS-12.":Export-ExchangeCertificate -Thumbprint "D7FCF239E2F23D408F8C3676FDD1BFF447062E14" -BinaryEncoded:$true -Path C:\IT\Cert\Exported\zoo.hq.mydomain.com_selfsigned_expired.pfx -Password:(Get-Credential).passwordIs it safe to just go ahead and delete this then?I see that I haveanother self-signed cert that is not expired and only bound to UM with thumbprint E0E56157A51549E316396F0D158FC79DD445B812. I thought I might try to bind it to SMTP and get the following:"WARNING: This certificate will not be used for external TLS connections with an FQDN of 'ZOO.hq.mydomain.com' because the self-signed certificate with thumbprint '94838D37FAD3805A627CD575F2DADD3B7CDCA616' takes precedence. The following connectors match that FQDN: Default ZOO, Unauthenticated Relay.Confirm Overwrite existing default SMTP certificate,'F9FF2331AF235BAE63C6F456097EE8AC04D42F44' (expires 8/27/2010 5:36:19 PM), with certificate 'E0E56157A51549E316396F0D158FC79DD445B812' (expires 7/11/20117:03:51 AM)?[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):"I selected No. I had also tried to remove a service from one of the certs, but according to MS documentation, the Enable-ExchangeCertificate cmdlet is only additive, so that cant be done. Using the None for services doesnt work either. So, how can I achieve a fix using a self-signed cert given the above cases? Thanks. Kevin