event id 12017 An internal transport certificate will expire soon.
The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12. I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring. Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log. How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system. Do I just run the following to renew the 18A7 certificate? "Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP" Do I need to remove the expiring certificate as well before I enable the new one? Thanks, Andrew From the exchange 2007 management console, I executed: get-ExchangeCertificate | list Below is a snippet of the output: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/19/2012 10:58:54 PM NotBefore : 5/20/2010 10:58:54 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/11/2012 10:48:44 PM NotBefore : 5/12/2010 10:48:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
April 24th, 2012 11:21pm

On Wed, 25 Apr 2012 03:21:07 +0000, exchange 2007 user wrote: > > >The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12. > >I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring. > >Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log. > >How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system. > >Do I just run the following to renew the 18A7 certificate? Both certificates will expire in May of 2012. Using either of them will produce the same warning. You need a new certificate that expires in, say, two year's time. >"Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP" > >Do I need to remove the expiring certificate as well before I enable the new one? No, but it's pointless to keep expired certificates in the server's certificate store. After you install a new certificate and enable it for use by Exchange you can remove the expired certs. >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/19/2012 10:58:54 PM NotBefore : 5/20/2010 10:58:54 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP > >Status : Valid Subject : CN=Sites Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > > >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/11/2012 10:48:44 PM NotBefore : 5/12/2010 10:48:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 11:31pm

Thanks for your reply Rich. So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct? 1. Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP 2. Get-ExchangeCertificate | fl (to grab new thumbprint of the newly generated certificate) 3. Enable-ExchangeCertificate Thumbprint <thumprint of new certificate> -Services IMAP POP SMTP 4. Remove-ExchangeCertificate - Thumbprint 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxx - Services IMAP POP SMTP 5. (restart Microsoft Exchange Transport service) Repeat steps 1 - 5 for second certificate thumbprint AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Thanks in advance, Andrew
April 25th, 2012 11:38pm

On Thu, 26 Apr 2012 03:38:39 +0000, exchange 2007 user wrote: > > >Thanks for your reply Rich. > >So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct? What CA issued your certificate? The information you provided says: .. Issuer : CN=xyz-xyz123-CA Is that YOUR CA? Or is it a commercial CA? If it's your own, just create a new certificate request and use it to crtate a new cert. Import that and anctivate it. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 7:47pm

Hi Rich, I had replaced the CA information with xyz and removed a lot of the thumbprint information for security reasons. All other information is unaltered. Ok, I will create a new certificate and enable them.
April 26th, 2012 9:04pm

Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites. Will that affect the operation of the certificates? Thanks mucho Rich! AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:28:12 PM NotBefore : 4/26/2012 6:28:12 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:20:17 PM NotBefore : 4/26/2012 6:20:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 436330ED97B389A4452B4B670DB0EE00 Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 9:39pm

On Fri, 27 Apr 2012 01:39:30 +0000, exchange 2007 user wrote: >Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites. > >Will that affect the operation of the certificates? It shouldn't. > >Thanks mucho Rich! > >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:28:12 PM NotBefore : 4/26/2012 6:28:12 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:20:17 PM NotBefore : 4/26/2012 6:20:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 436330ED97B389A4452B4B670DB0EE00 Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
April 26th, 2012 9:46pm

There are no more event id 12017 entries in the application log since the certificate renewals. Thanks again Rich!
Free Windows Admin Tool Kit Click here and download it now
April 29th, 2012 1:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics