Background: I have Exchange 2007 single server model with ISA 2006 (reverse proxy) Everything is functioning but started seeing Event ID: 12018 The STARTTLS certificate will expire soon I initially bought Verisign cert, and the upgraded to Verisign SAN cert when I installed the ISA server. This SAN cert includes the autodiscovery URL's so Outlook Anywhere functions through the ISA. When I issue Get-ExchangeCertificate |fl command it appears that there are 2 certificated installed. The first one listed is the one with the SAN Names and is set to expire in 9/2011 so no problem there. The second cert listed is going to expire 2/2010. It also has a common name that is the actual server name , whereas I use "webmail.company.com" for both internal and external networks. My question is can I just remove the old cert that has the wrong CN and is set to expire? I checked my default web site under IIS and that appears to point to the correct cert, but why the expiration error in the logs if that cert is not being used? Thank you!

On Tue, 29-Dec-09 18:24:25 GMT, edubbs72 wrote:he SAN Names and is set to expire in 9/2011 so no problem there. The second cert listed is going to expire 2/2010. It also has a common name that is the actual server name , whereas I use "webmail.company.com" for both internal and external networks. My question is can I just remove the old cert that has the wrong CN and is set to expire? I checked my default web site under IIS and that appears to point to the correct cert, but why the expiration error in the>logs if that cert is not being used? Thank you! Is the new certificate installed on both the ISA server and themachine acting in the CAS role? Hav you selected the correctcertificate on the "Listenenr" you use on the ISA server's publishingrules?---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

Hi, The second certificate is created when the Exchange Server is installed. It is a self-signed certificate. You can refer to following article for more information regarding the certificate Certificate Use in Exchange Server 2007 http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx By default, some internal components still use the self-signed certificate. For example, internal mail flow between Exchange 2007 Hub Transport server. Therefore, I do not recommend that you simply remove the certificate. Instead, you can run following command to clone the self-signed certificate: Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate –Service SMTP Note: The thumbprint is the thumbprint of the certificate to be renewed. Mike Shen TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com

Update: I used the command above. Initially, it appeared to have cloned all three certs, probably because I did not include the thumbprint of the cert I was cloning. I manually removed the cloned certs and ran the command again with thumbprint of the correct cert. This worked, however I started getting warnings about the server looking for a cert in the personal store that was not there. I then ran the Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxx -Services "SMTP command and pointed the smtp services to the correct cert. Then rebooted the Exchange server and so far no errors, just a warning about my anti-spam agent not having an smtp server listed. That is the least of my worries since mail is ran through Postini on its way in. Thanks. It actually looks like I have 3 certs installed. Using MMC to look as certs installed on the local computer (Exchange server) 1. Issued to: Exchange Server Issued by: Exchange Server Purpose: Server Authentication Expires: 1/21/2010 2. Issued to: webmail.company.com Issued by: Verisign Purpose: Server Authentication, Client Authentication Expires: 2/3/2010 3. Issued to: webmail.company.com Issued by: Verisign Purpose: Server Authentication, Client Authentication (SAN) Expires: 9/14/2011 Error message references TLS Cert: Event Type: Warning Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12018 Date: 1/4/2010 Time: 2:04:33 PM User: N/A Computer: (Exchange server name) Description: The STARTTLS certificate will expire soon: subject: (Servername.Domainaname), hours remaining: D9E2326F676EF6F6552BDB49064A8A94A85BE6FD. Run the New-ExchangeCertificate cmdlet to create a new certificate. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ~Eric