Event viewer logs shows the below details. Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12018 Date: 8/10/2010 Time: 3:54:25 PM User: N/A Computer: SERVER-4 Description: The STARTTLS certificate will expire soon: subject: server-4.bok.com.np, hours remaining: A050E366E44A2E485A2009B22712C3199AF451F7. Run the New-ExchangeCertificate cmdlet to create a new certificate.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I clearly understand that this is the certificate renewal issue that occurs annually, since our organization is using default Exchange certificate. Sirs, this time I have to renew the certificate myself for the very first time. So, need your step by step guidelines. I am posting this issue again because I am totally confused by the links provided in the available posts & forums. They are vast & I could not get the exact steps that I NEED TO FOLLOW STRAIGHT FORWARD. Sirs, guide me the for the further steps. STEP 1 PS] C:\Documents and Settings\Administrator>get-exchangecertificate |fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {server-4.bok.com.np} HasPrivateKey : True IsSelfSigned : False Issuer : CN=mail.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 10/18/2010 9:59:18 PM NotBefore : 10/18/2009 9:59:18 PM PublicKeySize : 1024 RootCAType : Registry SerialNumber : 1A501266000000000010 Services : None Status : Valid Subject : CN=server-4.bok.com.np Thumbprint : ECD0E9C6BB110A1598A24D5A32CD355BAA979FBC AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.bok.com.np} HasPrivateKey : True IsSelfSigned : False Issuer : CN=mail.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 9/8/2011 9:02:31 AM NotBefore : 9/8/2009 9:02:31 AM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 11D44AD000000000000F Services : IMAP, POP Status : Valid Subject : CN=mail.bok.com.np Thumbprint : FBD91108F7FB9C66737CEC6C789CB0FEBBA58C9A AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Access trol.CryptoKeyAccessRule} CertificateDomains : {server-4, server-4.bok.com.np} HasPrivateKey : True IsSelfSigned : True Issuer : CN=server-4 NotAfter : 9/1/2010 8:13:17 PM NotBefore : 9/1/2009 8:13:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 68F1AF923B0317B849C69A238D11CCDC Services : SMTP Status : Valid Subject : CN=server-4 Thumbprint : A050E366E44A2E485A2009B22712C3199AF451F7 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.bok.com.np} HasPrivateKey : True IsSelfSigned : False Issuer : CN=mail.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 8/9/2010 2:52:44 PM NotBefore : 8/9/2008 2:52:44 PM PublicKeySize : 1024 RootCAType : Registry SerialNumber : 6189A926000000000002 Services : IMAP, POP, IIS Status : DateInvalid Subject : CN=mail.bok.com.np, OU=BOK, O=BOK, L=Kathmandu, S=BG, C=NP Thumbprint : F355FCCCC21A5DC75DC75AA22A003DE82B3CA541 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Access trol.CryptoKeyAccessRule} CertificateDomains : {mail.bok.com.np} HasPrivateKey : True IsSelfSigned : True Issuer : CN=mail.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 8/9/2013 2:59:35 PM NotBefore : 8/9/2008 2:51:59 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 505D154CA53F55854D453BA5304C45C7 Services : IMAP, POP, SMTP Status : Valid Subject : CN=mail.bok.com.np, DC=bok, DC=com, DC=np Thumbprint : 568A02C427C763E6F99E3B0F4AEFB45ABAD07580 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {server-4.bok.com.np} HasPrivateKey : True IsSelfSigned : False Issuer : CN=server-4.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 8/9/2010 12:01:58 PM NotBefore : 8/9/2008 12:01:58 PM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 1BA1A8C3000000000002 Services : None Status : DateInvalid Subject : CN=server-4.bok.com.np, OU=BOK, O=BOK, L=Kathmandu, S=BG, C=NP Thumbprint : D0AF7CA62D681E9607340223AAB3A202D83E36EC AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {server-4.bok.com.np} HasPrivateKey : True IsSelfSigned : False Issuer : CN=server-4.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 8/7/2010 1:45:14 PM NotBefore : 8/7/2008 1:45:14 PM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 11B37EE0000000000003 Services : None Status : DateInvalid Subject : CN=server-4.bok.com.np, OU=BOK, O=BOK, L=Kathmandu, S=BG, C=NP Thumbprint : 87C4660DB107A9ABAAB3DE62163EB09C92BA387F AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {exchange.contoso.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=exchange.contoso.com, O=Contoso Corporation, DC=contoso, DC=com NotAfter : 8/7/2009 5:35:48 PM NotBefore : 8/7/2008 11:35:48 AM PublicKeySize : 2048 RootCAType : Unknown SerialNumber : F6ECFD9CAA65298E4E1CAD1CE4E96F49 Services : None Status : Invalid Subject : CN=exchange.contoso.com, O=Contoso Corporation, DC=contoso, DC=com Thumbprint : 1B9E3DED5234DFCFDE27C5688E1DDE51671DBE8F _______________________________________________________________________________ I have to enable the new certificate for IIS, POP, IMAP & Active Sync (Mobile uses) as well. Please mention the other services if I have missed. Also the steps I need to renew the certificate. I am totally confused which certificate has to be renewed from the above lists. Cheers, Surya M. Bajracharya.

Hi, have a look into these post : http://www.exchangeinbox.com/article.aspx?i=114 http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.htmlRipu Daman Mina | MCSE 2003 & MCSA Messaging

Dear Ripu, I had checked this link earlier & yes, this one is the best among all for my case. Since my small mistake might cause bigger issues, I want to solve this case at 100%. So, please suggest me for preventive measures that I need to keep in mind. What do I do for mobile users ? Cheers, Surya M. Bajracharya

Hi Surya, Is exchange SP2 installed or not?? which is the current SP version you are using & have a look into this article it has full details, also covering the activesync part : http://jarrod.spiga.id.au/?p=20 Ripu Daman Mina | MCSE 2003 & MCSA Messaging

Hi Ripu, Server Configuration : Windows Server 2003 (x64) Standard Edition; SP2 Installed Exchange Setups : Exchange 2007 SP2 (x64) Ripu can you help me which certificate is being used currently from that previous post. There are already 3 certificates displayed while using this command : Get-ExchangeCertificate -domain "mail.bok.com.np" | fl I've figured out one having the date already expired that was on 09/08/2010. Is there any way to find out that this particular certificate is being used for my exchange ? Cheers, Surya M. Bajracharya

Hi Surya, run Get-ExchangeCertificate | fl on cas server it will give the details of certificate installed with details.Ripu Daman Mina | MCSE 2003 & MCSA Messaging

Dear Ripu, I did the same. Please check my first post and STEP 1. I also listed all the certificates which were displayed after running that command. Cheers, Surya M. Bajracharya

Hi Surya, As listed, 1: IMAP, POP. Expiry 9/8/2011 9:02:31 AM AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.bok.com.np} HasPrivateKey : True IsSelfSigned : False Issuer : CN=mail.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 9/8/2011 9:02:31 AM NotBefore : 9/8/2009 9:02:31 AM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 11D44AD000000000000F Services : IMAP, POP Status : Valid Subject : CN=mail.bok.com.np Thumbprint : FBD91108F7FB9C66737CEC6C789CB0FEBBA58C9A 2) SMTP, expiry 9/1/2010 8:13:17 PM AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Access trol.CryptoKeyAccessRule} CertificateDomains : {server-4, server-4.bok.com.np} HasPrivateKey : True IsSelfSigned : True Issuer : CN=server-4 NotAfter : 9/1/2010 8:13:17 PM NotBefore : 9/1/2009 8:13:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 68F1AF923B0317B849C69A238D11CCDC Services : SMTP Status : Valid Subject : CN=server-4 Thumbprint : A050E366E44A2E485A2009B22712C3199AF451F7 3) IMAP, POP, SMTP Expiry 8/9/2013 2:59:35 PM AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Access trol.CryptoKeyAccessRule} CertificateDomains : {mail.bok.com.np} HasPrivateKey : True IsSelfSigned : True Issuer : CN=mail.bok.com.np, DC=bok, DC=com, DC=np NotAfter : 8/9/2013 2:59:35 PM NotBefore : 8/9/2008 2:51:59 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 505D154CA53F55854D453BA5304C45C7 Services : IMAP, POP, SMTP Status : Valid Subject : CN=mail.bok.com.np, DC=bok, DC=com, DC=np Thumbprint : 568A02C427C763E6F99E3B0F4AEFB45ABAD07580 All other cert are expired. I don't know why all these other cert are installed & not removed when they are expired, the last one in till 2013 & it for IMAP, POP, SMTP, if its a correct cert it will wok & you might not have to install a new one for these services.Ripu Daman Mina | MCSE 2003 & MCSA Messaging

Hi Surya, From the Event ID: 12018, the certificate(Thumbprint): A050E366E44A2E485A2009B22712C3199AF451F7 is used for STARTTLS. So you can just use cmdlet Get-ExchangeCertificate -thumbprint “A050E366E44A2E485A2009B22712C3199AF451F7” | New-ExchangeCertificate to renew the certificate. By the way, I see you have many certificates, I would suggest you create a new internal CA (some certificate's RootCAType is Enterprise), enable all service(IIS,SMTP,POP,IMAP) to the new one, then delete any other old ones. You can follow Technet document to request, obtain and import the certificate. Managing SSL for a Client Access Server http://technet.microsoft.com/en-us/library/bb310795(EXCHG.80).aspxFrank Wang

Hello Surya, Check the Event Viewer for Event ID 12014,12017 & 12018 and go through those Event Id & according to that create a Self sign certificate for SMTP service. For example :-- New-ExchangeCertificate -DomainName server-4.bok.com.np -Services SMTP After creating the Self sign certificate for SMTP service & restart the Transport service. It will fix the issue. EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT

HI Frank, As you mentioned that I have many certificates, that is where I am getting confused. I am not being able to figure out which certificate is to be renewed. As I went in depth, I found that there are 3/4 certificates which just expired on 8/9/2010 (mm-dd/yyyy). But the event log is pointing that I have a certificate which is going to be expired in 9/1/2010. To make me more confuse, I have received a complaint that Mobile Users are not receiving emails which also points to certificate issue. I don't know which certificate is causing this issue. " I would suggest you create a new internal CA (some certificate's RootCAType is Enterprise) " Is "Get-ExchangeCertificate -thumbprint “A050E366E44A2E485A2009B22712C3199AF451F7” | New-ExchangeCertificate" different to creating a new internal CA ? If so, how do I do ? Totally Confused !! :( Sury M. Bajracharya

Hi Sury, In my last reply, I said the certificate's thumbprint A050E366E44A2E485A2009B22712C3199AF451F7 is used for STARTTLS, and you can find the output of the certificate: NotAfter : 9/1/2010 8:13:17 PM As I find two certificate's RootCAType is Enterprise, so you have already applied the certificate from the internal CA. In order to simply you question, I would suggest you apply a new internal CA certificate for you exchange server. And the requestion cmdlet should like this(You can find details from the link I gave you): New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.contoso.com,exchange.contoso.com,autodiscover.contoso.com -PrivateKeyExportable $true -path c:\certrequest.txt Get-ExchangeCertificate -thumbprint “A050E366E44A2E485A2009B22712C3199AF451F7” | New-ExchangeCertificate is cmdlet for renewing a certificate, it is different to create a new internal CA certificate. More information: Certificate Use in Exchange Server 2007 http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspxFrank Wang

Hello Surya, Any updates ? Did u followed the steps provided by me & other colleage to fix the Certificate issue ? Let us know the update.EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT

Hello PKT_ Yesterday, what we did was renewed the certificate with Thumbprint: F355FCCCC21A5DC75DC75AA22A003DE82B3CA541, which expired on 08/09/2010. Surprisingly, eventviewer is still throwing log ID 12018. Surya M. Bajracharya

Hello Surya, It might possible that the FQDN on the renewed certificate with Thumbprint: F355FCCCC21A5DC75DC75AA22A003DE82B3CA541 was not correct. Please, Check the Event Viewer for Event ID 12018 and go through those Event Id (FQDN) & according to that create a Self sign certificate for SMTP service. Run Command For example :-- New-ExchangeCertificate -DomainName server-4.bok.com.np -Services SMTP After creating the Self sign certificate for SMTP service & restart the Transport service. It will fix the issue.EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT

Hello PKT_, But Yesterday, we renewed plus enabled all services IMAP, POP, IIS & SMTP over the old certificate with Thumbprint : F355FCCCC21A5DC75DC75AA22A003DE82B3CA541 But as per your suggestion, I should again create (not renew) a new certificate as stated by Frank. Is that correct ? If so, please, please tell me the exact command that I need to run. If below is the syntax, New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.contoso.com,exchange.contoso.com,autodiscover.contoso.com -PrivateKeyExportable $true -path c:\certrequest.txt Can I just run the command New-ExchangeCertificate -DomainName server-4.bok.com.np -Services SMTP ?? Finally, which certificate will I have to provide for the Windows Mobile users ?

Hi Surya, "Can I just run the command New-ExchangeCertificate -DomainName server-4.bok.com.np -Services SMTP ?? Finally, which certificate will I have to provide for the Windows Mobile users ? " You cannot use self-signed certificate for Activesync(Windows Mobile users), so please follow the link I gave you to create a new CA certificate. Managing SSL for a Client Access Server http://technet.microsoft.com/en-us/library/bb310795(EXCHG.80).aspx And you can only renew a self-signed certificate which is not expired.Frank Wang

Hello Frank, I don't know what will happen on 1st Sep 2010 to my Exchange Mail Flow. The new certificate shows the value TRUE for Self signed & the date is valid for untill next year. On top of that, this certifcate after exporting from IIS worked for Windows Mobile too. My only problem is that eventviewer is throwing the certificate expiry log ID. I am taking risk - Wait & Watch Till 3rd September. Frank & PKT_, please be there for me on 1st September. I will surely need your help! Surya M. Bajracharya

Hello Surya, Any updates ?EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT

Hi, Exchange seems to be running fine exept for this strange behaviour :p The certificate with thumbprint 'F355FCCCC21A5DC75DC75AA22A003DE82B3CA541' expired as it had to. The shocking thing is Outlook is picking the certificate from another exchange server which was setup as DR ( it's certificate has also expired). But OWA is picking the newly renewed certificate. It seems rpoblems are simply piling up. So, my dear frens & Exchange warriors what do u suggest ? Cheers !

Hello Everyone !! I think the problem is solved !! :D What I did was : A -- "Get-ExchangeCertificate -thumbprint “A050E366E44A2E485A2009B22712C3199AF451F7” | New-ExchangeCertificate & Enabled newly created one for SMTP only since I had already renewed & enabled services after doing B -- "Get-ExchangeCertificate -thumbprint “'F355FCCCC21A5DC75DC75AA22A003DE82B3CA541” | New-ExchangeCertificate" My conclusion: I think I'd have taken the step A at first place. Thank You For All Your Support & Valuable Time. Cheers !! Surya M. Bajracharya

Hello Everyone !! I think the problem is solved !! :D What I did was : A -- "Get-ExchangeCertificate -thumbprint “A050E366E44A2E485A2009B22712C3199AF451F7” | New-ExchangeCertificate & Enabled newly created one for SMTP only I had already renewed & enabled services after doing B -- "Get-ExchangeCertificate -thumbprint “'F355FCCCC21A5DC75DC75AA22A003DE82B3CA541” | New-ExchangeCertificate" My conclusion: I think I'd have taken the step A at first place. Thank You For All Your Support & Valuable Time. Cheers !! Surya M. Bajracharya