Hello Exchange Gurus, How to resolve internal certificate issues. The verisign certificate is valid up to September 2010. Application Logs at Client Access Server ( CAS & HUB on One BOX ) Event Type: Error Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12016 Date: 7/3/2010 Time: 9:27:26 AM User: N/A Computer: Company-EXCHCA Description: There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of Company-EXCHCA.company.com.sa. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of Company-EXCHCA.Company.com.sa should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task. Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12015 Date: 7/3/2010 Time: 9:49:00 AM User: N/A Computer: company-EXCHCA Description: An internal transport certificate expired. Thumbprint:59A771BE23F9025FE5536442195FFEFE404757 Application Logs at Edge Transport Server Event Type: Error Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12019 Date: 7/3/2010 Time: 9:17:24 AM User: N/A Computer: Comapny-EXCHED Description: The remote internal transport certificate expired. Certificate subject: CN=Company-EXCHCA. Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12015 Date: 7/3/2010 Time: 9:17:23 AM User: N/A Computer: Comapny-EXCHED Description: An internal transport certificate expired. Thumbprint:5563AB42F7225FF5332FE2E4CB702182493531 Certificate info Exported at Edge Transport Server AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Company-EXCHED, Company-EXCHED.Company.com.sa} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Company-EXCHED NotAfter : 6/27/2010 11:37:09 AM NotBefore : 6/27/2009 11:37:09 AM PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 839F56CB868DC58392AC7600BF4164 Services : SMTP Status : Invalid Subject : CN=Company-EXCHED Thumbprint : 5563AB42F7225F6DF52FE2E4CB702182493531 Please advise , Thanks in advanced. Regards, Amjuu ..

Hi , Check your server date and time because if certificate is valid than this is your problem that your date and time is not set properly. Also read this http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12016&EvtSrc=MSExchangeTransport&LCID=1033 And this http://support.microsoft.com/kb/555855 I hope this will resolve your problem. Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2

Dear Shafaquat, The date & time is fine with the Exchange Servers , I'm getting error for Internal certificate not for Verisign SSL. The Internal Certificate was expired , How to create new one for Internal Certificate at Client Access & Edge Servers. Thanks. Regards, Amjuu ..

Hi Amjuu , Use This command please New-ExchangeCertificate -GenerateRequest -Path c:\youdomain_com.req -KeySize 2048 -SubjectName "c=PK, s=Sindh, l=Karachi, o=Ali, ou=Ali, cn=youdomain.com" -DomainName yourdomain.com, yourdomain.local, autodiscover.yourdomain.com, owa.yourdomain.com -PrivateKeyExportable $True Also edit it with your domain names. Regards. Shafaquat Ali M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2

Hi Shafaquat, Confused with the all parameters .. Our Domain name : company.com.sa Instead of all parameters , I'm executing New-ExchangeCertificate ( Yes to All ) at " EMS "Client Access & Edge Transport Servers , Does it affect to verisign Cert ( webmail.company.com.sa ). Does it require New-ExchangeCertificate for both ( CAS & Edge )servers ? Please advise , thanks for the time.Regards, Amjuu ..

Hi Amjuu , Please confirm me your all cert configuration and let me know in details that what you want to do ? As per your question I told you that how you will be able to issue new cert from your local CA Server and Varisign wil be used for CAS & Edge I think so please tell me in details what you want to do. Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2

Hi, I just overwrite cert at Edge and CAS, getting following errors, unable to flow from internal to external vice versa. No sync between CAS & Edge please advise. Client Access server Errors Event Type: Error Event Source: MSExchangeTransport Event Category: SmtpReceive Event ID: 1036 Date: 7/4/2010 Time: 1:41:00 PM User: N/A Computer: company-EXCHCA Description: Inbound direct trust authentication failed for certificate CN=company-EXCHED. The source IP address of the server that tried to authenticate to Microsoft Exchange is [10.0.0.75]. Make sure EdgeSync is running properly. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: MSExchangeTransport Event Category: SmtpSend Event ID: 2018 Date: 7/4/2010 Time: 1:37:13 PM User: N/A Computer: KJO-EXCHCA Description: Outbound direct trust authentication failed for certificate CN=company-EXCHED. The target IP address of the Exchange server that Microsoft Exchange tried to authenticate to is [10.0.0.75]. Make sure EdgeSync is running properly. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Edge Server Errors Event Type: Warning Event Source: MSExchangeTransport Event Category: SmtpReceive Event ID: 1022 Date: 7/4/2010 Time: 1:12:11 PM User: N/A Computer: company-EXCHED Description: Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Warning Event Source: MSExchangeTransport Event Category: SmtpReceive Event ID: 1022 Date: 7/4/2010 Time: 1:10:58 PM User: N/A Computer: company-EXCHED Description: Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Regards, Amjuu ..

Hi , Please follow the articles below. For 1022 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=1022&EvtSrc=MSExchangeTransport&LCID=1033 For 1036 http://support.microsoft.com/kb/937031 Regards. Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2

Have you enabled all the services, including SMTP for the existing, valid Verisign certifiate? ( I cant really tell from your posts if that Verisign cert is installed on the CAS/HUB servers.) If so, that's all you have to do. enable-exchangecertificate

On Sun, 4 Jul 2010 10:53:15 +0000, Amjuu wrote: >I just overwrite cert at Edge and CAS, getting following errors, unable to flow from internal to external vice versa. > >No sync between CAS & Edge please advise. Try this (stolen from someone smarter than me!): 1. On the Hub, Remove the Subscription 2. On the Edge, Remove the cert used by ADAM to establish secure connections. You can do this by following the following steps: a. Open up an empty mmc console (Run -> mmc) b. Select File -> Add / Remove Snap-in c. Hit Add d. Select "Certificates" from the List of Snap-Ins available, and hit Add. e. Select "Service Account" on the "Certificates Snap-In" page, click next. f. Select "Local Computer" on the "Select Computer" page, click next. g. Select "Microsoft Exchange ADAM" from the list of services, click Finish. h. Close the "Add Snap-in" dialog. i. Navigate to "Certifcates Service" -> "ADAM_MSExchange\Personal" -> Certificates j. You should see a single certificate here. Remove it. 3. On the Edge, Unsubscribe, then create a new subscription file (you should see a new certificate show up at this point on the ADAM cert container from the step above) by calling new-edgesubscription 4. Re-start the "Microsoft Exchange ADAM" service. 5. Bring the file in and re-subscribe (new-edgesubscription on the hub.) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Rich, It was my hard time , You are the only Guy understood the issue , If you would help me 5 hours before it could be great help me . We had opened a call from microsoft , almost same concept to resolve our issue but little bit diff. anyway thanks for the solution & preciuos time. Regards, Amjuu ..