event id 12017 An internal transport certificate will expire soon.
The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12. I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring. Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log. How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system. Do I just run the following to renew the 18A7 certificate? "Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP" Do I need to remove the expiring certificate as well before I enable the new one? Thanks, Andrew From the exchange 2007 management console, I executed: get-ExchangeCertificate | list Below is a snippet of the output: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/19/2012 10:58:54 PM NotBefore : 5/20/2010 10:58:54 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/11/2012 10:48:44 PM NotBefore : 5/12/2010 10:48:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
April 24th, 2012 11:21pm

On Wed, 25 Apr 2012 03:21:07 +0000, exchange 2007 user wrote: > > >The thumbprint certificate referenced in the application error event log begins with 18A7. It will expire on 5/19/12. > >I included the second certificate (begins with A3BF) as they appear to be duplicates. There were no event log warnings regarding the second certificate expiring. > >Few questions: Do I update the 18A7 certificate only as the A3BF appears to be a duplicate and allow that one to expire? The second one is coming due on 5/11/12 but I never got an expiration notice in the event log. > >How would I go about properly renewing the 18A7 certificate? I don't want to fat finger something break the e-mail system. > >Do I just run the following to renew the 18A7 certificate? Both certificates will expire in May of 2012. Using either of them will produce the same warning. You need a new certificate that expires in, say, two year's time. >"Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP" > >Do I need to remove the expiring certificate as well before I enable the new one? No, but it's pointless to keep expired certificates in the server's certificate store. After you install a new certificate and enable it for use by Exchange you can remove the expired certs. >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/19/2012 10:58:54 PM NotBefore : 5/20/2010 10:58:54 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 61Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP > >Status : Valid Subject : CN=Sites Thumbprint : 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > > >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz123.xyz.local} HasPrivateKey : True IsSelfSigned : False Issuer : CN=xyz-xyz123-CA NotAfter : 5/11/2012 10:48:44 PM NotBefore : 5/12/2010 10:48:44 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 610Bxxxxxxxxxxxxxxxxxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 11:31pm

Thanks for your reply Rich. So in summary, to correct this problem I plan on implement the following commands. Are the sequence of commands correct? 1. Get-ExchangeCertificate -Thumbprint 18A7xxxxxxxxxxxxxxx | New-ExchangeCertificate -Services IMAP POP SMTP 2. Get-ExchangeCertificate | fl (to grab new thumbprint of the newly generated certificate) 3. Enable-ExchangeCertificate Thumbprint <thumprint of new certificate> -Services IMAP POP SMTP 4. Remove-ExchangeCertificate - Thumbprint 18A7xxxxxxxxxxxxxxxxxxxxxxxxxxx - Services IMAP POP SMTP 5. (restart Microsoft Exchange Transport service) Repeat steps 1 - 5 for second certificate thumbprint AB3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Thanks in advance, Andrew
April 25th, 2012 11:38pm

Hi Rich, I had replaced the CA information with xyz and removed a lot of the thumbprint information for security reasons. All other information is unaltered. Ok, I will create a new certificate and enable them.
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 9:04pm

Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites. Will that affect the operation of the certificates? Thanks mucho Rich! AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:28:12 PM NotBefore : 4/26/2012 6:28:12 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:20:17 PM NotBefore : 4/26/2012 6:20:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 436330ED97B389A4452B4B670DB0EE00 Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
April 26th, 2012 9:39pm

On Fri, 27 Apr 2012 01:39:30 +0000, exchange 2007 user wrote: >Ok, I just created two new certificates for the ones expiring on 5/11 and 5/19/12. The only thing I notice that's different with the new certificates is that they do not say "Issuer CN=xyz-xyz123-CA." Both of them say CN=Sites. > >Will that affect the operation of the certificates? It shouldn't. > >Thanks mucho Rich! > >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:28:12 PM NotBefore : 4/26/2012 6:28:12 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 1A56F875D7ED17BE4E95D7C89C98653F Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 97EAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {Sites, xyz-xyz123.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Sites NotAfter : 4/26/2017 6:20:17 PM NotBefore : 4/26/2012 6:20:17 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 436330ED97B389A4452B4B670DB0EE00 Services : IMAP, POP, SMTP Status : Valid Subject : CN=Sites Thumbprint : 3F69xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 9:46pm

There are no more event id 12017 entries in the application log since the certificate renewals. Thanks again Rich!
April 29th, 2012 1:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics