Exchange 2007 SP1 Internal Certificate Issue
Hello Exchange Gurus,
How to resolve internal certificate issues. The verisign certificate is valid up to September 2010.
Application Logs at Client Access Server ( CAS & HUB on One BOX )
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12016
Date: 7/3/2010
Time: 9:27:26 AM
User: N/A
Computer: Company-EXCHCA
Description:
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of Company-EXCHCA.company.com.sa. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains
the FQDN of Company-EXCHCA.Company.com.sa should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12015
Date: 7/3/2010
Time: 9:49:00 AM
User: N/A
Computer: company-EXCHCA
Description:
An internal transport certificate expired. Thumbprint:59A771BE23F9025FE5536442195FFEFE404757
Application Logs at Edge Transport Server
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12019
Date: 7/3/2010
Time: 9:17:24 AM
User: N/A
Computer: Comapny-EXCHED
Description:
The remote internal transport certificate expired. Certificate subject: CN=Company-EXCHCA.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12015
Date: 7/3/2010
Time: 9:17:23 AM
User: N/A
Computer: Comapny-EXCHED
Description:
An internal transport certificate expired. Thumbprint:5563AB42F7225FF5332FE2E4CB702182493531
Certificate info Exported at Edge Transport Server
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Company-EXCHED, Company-EXCHED.Company.com.sa}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Company-EXCHED
NotAfter : 6/27/2010 11:37:09 AM
NotBefore : 6/27/2009 11:37:09 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 839F56CB868DC58392AC7600BF4164
Services : SMTP
Status : Invalid
Subject : CN=Company-EXCHED
Thumbprint : 5563AB42F7225F6DF52FE2E4CB702182493531
Please advise , Thanks in advanced.
Regards, Amjuu ..
July 3rd, 2010 10:09am
Hi ,
Check your server date and time because if certificate is valid than this is your problem that your date and time is not set properly.
Also read this
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12016&EvtSrc=MSExchangeTransport&LCID=1033
And this
http://support.microsoft.com/kb/555855
I hope this will resolve your problem.
Regards.
Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2010 11:53am
Dear Shafaquat,
The date & time is fine with the Exchange Servers , I'm getting error for Internal certificate not for Verisign SSL.
The Internal Certificate was expired , How to create new one for Internal Certificate at Client Access & Edge Servers.
Thanks.
Regards, Amjuu ..
July 4th, 2010 8:36am
Hi
Amjuu ,
Use This command please
New-ExchangeCertificate -GenerateRequest -Path c:\youdomain_com.req -KeySize 2048 -SubjectName "c=PK, s=Sindh, l=Karachi, o=Ali, ou=Ali, cn=youdomain.com" -DomainName yourdomain.com, yourdomain.local, autodiscover.yourdomain.com, owa.yourdomain.com
-PrivateKeyExportable $True
Also edit it with your domain names.
Regards.
Shafaquat Ali
M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2010 8:43am
Hi Shafaquat,
Confused with the all parameters ..
Our Domain name : company.com.sa
Instead of all parameters , I'm executing New-ExchangeCertificate ( Yes to All ) at " EMS "Client Access & Edge Transport Servers , Does it affect to verisign Cert ( webmail.company.com.sa ).
Does it require New-ExchangeCertificate for both ( CAS & Edge )servers ?
Please advise , thanks for the time.Regards, Amjuu ..
July 4th, 2010 12:44pm
Hi Amjuu ,
Please confirm me your all cert configuration and let me know in details that what you want to do ?
As per your question I told you that how you will be able to issue new cert from your local CA Server and Varisign wil be used for CAS & Edge I think so please tell me in details what you want to do.
Regards.
Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2010 1:12pm
Hi,
I just overwrite cert at Edge and CAS, getting following errors, unable to flow from internal to external vice versa.
No sync between CAS & Edge please advise.
Client Access server Errors
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1036
Date: 7/4/2010
Time: 1:41:00 PM
User: N/A
Computer: company-EXCHCA
Description:
Inbound direct trust authentication failed for certificate CN=company-EXCHED. The source IP address of the server that tried to authenticate to Microsoft Exchange is [10.0.0.75]. Make sure EdgeSync is running properly.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SmtpSend
Event ID: 2018
Date: 7/4/2010
Time: 1:37:13 PM
User: N/A
Computer: KJO-EXCHCA
Description:
Outbound direct trust authentication failed for certificate CN=company-EXCHED. The target IP address of the Exchange server that Microsoft Exchange tried to authenticate to is [10.0.0.75]. Make sure EdgeSync is running properly.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Edge Server Errors
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1022
Date: 7/4/2010
Time: 1:12:11 PM
User: N/A
Computer: company-EXCHED
Description:
Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: SmtpReceive
Event ID: 1022
Date: 7/4/2010
Time: 1:10:58 PM
User: N/A
Computer: company-EXCHED
Description:
Anti-spam agents are enabled, but the list of internal SMTP servers is empty. If there are any MTAs between this server and the Internet, populate this list by using the Set-TransportConfig cmdlet in the Exchange Management Shell.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Regards, Amjuu ..
July 4th, 2010 1:53pm
Hi ,
Please follow the articles below.
For 1022
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=1022&EvtSrc=MSExchangeTransport&LCID=1033
For 1036
http://support.microsoft.com/kb/937031
Regards.
Shafaquat Ali.M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2010 2:07pm
Have you enabled all the services, including SMTP for the existing, valid Verisign certifiate? ( I cant really tell from your posts if that Verisign cert is installed on the CAS/HUB servers.) If so, that's all you have to do.
enable-exchangecertificate
July 4th, 2010 4:43pm
On Sun, 4 Jul 2010 10:53:15 +0000, Amjuu wrote:
>I just overwrite cert at Edge and CAS, getting following errors, unable to flow from internal to external vice versa.
>
>No sync between CAS & Edge please advise.
Try this (stolen from someone smarter than me!):
1. On the Hub, Remove the Subscription
2. On the Edge, Remove the cert used by ADAM to establish secure
connections. You can do this by following the following steps:
a. Open up an empty mmc console (Run -> mmc)
b. Select File -> Add / Remove Snap-in
c. Hit Add
d. Select "Certificates" from the List of Snap-Ins available,
and hit Add.
e. Select "Service Account" on the "Certificates Snap-In"
page, click next.
f. Select "Local Computer" on the "Select Computer" page,
click next.
g. Select "Microsoft Exchange ADAM" from the list of
services, click Finish.
h. Close the "Add Snap-in" dialog.
i. Navigate to "Certifcates Service" ->
"ADAM_MSExchange\Personal" -> Certificates
j. You should see a single certificate here. Remove it.
3. On the Edge, Unsubscribe, then create a new subscription file
(you should see a new certificate show up at this point on the ADAM
cert container from the step above) by calling new-edgesubscription
4. Re-start the "Microsoft Exchange ADAM" service.
5. Bring the file in and re-subscribe (new-edgesubscription on the
hub.)
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2010 7:03pm
Hi Rich,
It was my hard time , You are the only Guy understood the issue , If you would help me 5 hours before it could be great help me .
We had opened a call from microsoft , almost same concept to resolve our issue but little bit diff.
anyway thanks for the solution & preciuos time.
Regards, Amjuu ..
July 4th, 2010 8:22pm