Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Exchange 2007 Certificate Issue: The STARTTLS certificate will expire soon ..........

485 views
Skip to first unread message

Jack9000

unread,
Sep 30, 2008, 11:18:42 AM9/30/08
to
I keep getting this error every 20 minutes.

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12018
Date: 9/30/2008
Time: 10:56:01 AM
User: N/A
Computer: ATLMSX01
Description:
The STARTTLS certificate will expire soon: subject:
atlmsx01.drtango.int, hours remaining:
2C472839A89B20489439C03895C0F49EB62F94D2. Run the New-
ExchangeCertificate cmdlet to create a new certificate.


Certificate Info:

AccessRules :
{System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule,
System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {atlmsx01, atlmsx01.drtango.int}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=atlmsx01
NotAfter : 10/20/2008 5:47:54 PM
NotBefore : 10/20/2007 5:47:54 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : E92D53B18BFF4DBA4674E386709DFB35
Services : SMTP
Status : Valid
Subject : CN=atlmsx01
Thumbprint : 2C472839A89B20489439C03895C0F49EB62F94D2


How do I extent the Certificate?

Thanks

Andy David {MVP}

unread,
Sep 30, 2008, 11:22:20 AM9/30/08
to

It tells ya:

Run the New-ExchangeCertificate cmdlet to create a new certificate


If this is a 3rd party cert, renew with the 3rd party authority.

>
>Thanks

Elan Shudnow

unread,
Sep 30, 2008, 11:38:45 AM9/30/08
to
The certificate that has the -service set to SMTP will expire soon.
Having the SMTP enabled for TLS will allow the Receive Connector to
issue a StartTLS. Any connector that does not ignore StartTLS will
utilize TLS to encrypt SMTP data. If the certificate expires, mail
should still flow unless -RequireTLS was set on the connector which is
not set by default.

So all you really need to do is request a new certificate and ensure
that the services are set the same way as the old certificate. This
will allow the TLS selection process to select the best certificate
possible which should be the new one; especially if you delete the old
one.

Make sure you re-assign the certificate to other locations it may be
utilized. For example, ISA.

--
Elan Shudnow
http://www.shudnow.net

"Jack9000" <gdim...@gmail.com> wrote in message
news:d6b5567f-e605-4a91...@y21g2000hsf.googlegroups.com:

Oliver Moazzezi [MVP]

unread,
Sep 30, 2008, 11:44:42 AM9/30/08
to
You should be able to make life easier generating a self signed cert (if you
aren't using a third party cert) by utilizing the following command

Get-ExchangeCertificate -thumbprint <thumbprint> | New-ExchangeCertificate

Oliver


Andy David {MVP}

unread,
Sep 30, 2008, 11:57:47 AM9/30/08
to

All you have to do is type "New-ExchangeCertificate" if its
self-signed for SMTP.
It will prompt you to overwrite and you are done.


>
>Oliver
>

John Whites

unread,
Sep 30, 2008, 12:39:45 PM9/30/08
to
I have this same issue.

I have a third party cert running for my owa site which does not expire
until 2009...how will running that command affect my owa site, or will it?

-John

"Andy David {MVP}" <ada...@pleasekeepinngcheesebucket.com> wrote in message
news:q1j4e45f102ofvhdg...@4ax.com...

Andy David {MVP}

unread,
Sep 30, 2008, 8:08:29 PM9/30/08
to
On Tue, 30 Sep 2008 11:39:45 -0500, "John Whites"
<whi...@union.k12.mo.us> wrote:

>I have this same issue.
>
>I have a third party cert running for my owa site which does not expire
>until 2009...how will running that command affect my owa site, or will it?

Is the HT and CAS role on the same server?

0 new messages