Exchange 2007 - The STARTTLS certificate will expire soon

292 views
Skip to first unread message

Jeff7492

unread,
Jun 27, 2008, 12:11:01 PM6/27/08
to
Hello,

Here is the event log warning I am getting:

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12018
Date: 6/27/2008
Time: 10:02:37 AM
User: N/A
Computer: GEMINI
Description:
The STARTTLS certificate will expire soon: subject:
gemini.inet.empirenow.com, hours remaining:
AEBDDBF48827DBA3ED5A90AA123E61F94FC1992C. Run the New-ExchangeCertificate
cmdlet to create a new certificate.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


My Exchange 2007 environment is: 1 Mailbox server, 1 Hub Transport/Client
Access Server, I use hosted Exchange services thru AT&T for the Edge
Transport Server.

When I view my certs using the cmdlet Get-ExchangeCertificates | format-list
I get:

[PS] C:\Documents and Settings\jcurtiss\Desktop>Get-ExchangeCertificate |
format-list


AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.empirenow.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=VeriSign Class 3 Secure Server CA, OU=Terms of use
at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriS
ign, Inc.", C=US
NotAfter : 12/4/2010 6:59:59 PM
NotBefore : 12/4/2007 7:00:00 PM
PublicKeySize : 1024
RootCAType : ThirdParty
SerialNumber : 3435DE8D1E99DCFAFAD0D92CB5F4C925
Services : IMAP, POP, IIS
Status : Valid
Subject : CN=mail.empirenow.com, OU=Terms of use at
www.verisign.com/rpa (c)05, OU=Empire Financial, O="Empire Financial Group,
Inc.", L=L
ongwood, S=Florida, C=US
Thumbprint : E2E60C791DA4CA23ED4CDBB14E23E4FA1A457667

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessCon
trol.CryptoKeyAccessRule}
CertificateDomains : {gemini, gemini.inet.empirenow.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=gemini
NotAfter : 7/22/2008 3:11:22 PM
NotBefore : 7/22/2007 3:11:22 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 5C45A8B1BDE922B9492C7CA2A595DE35
Services : SMTP
Status : Valid
Subject : CN=gemini
Thumbprint : AEBDDBF48827DBA3ED5A90AA123E61F94FC1992C

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.empirenow.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=VeriSign Class 3 Secure Server CA, OU=Terms of use
at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriS
ign, Inc.", C=US
NotAfter : 12/5/2007 6:59:59 PM
NotBefore : 12/4/2006 7:00:00 PM
PublicKeySize : 1024
RootCAType : ThirdParty
SerialNumber : 67DD85727C0A8BB8F0AC3EED422A8D7C
Services : IMAP, POP
Status : DateInvalid
Subject : CN=mail.empirenow.com, OU=Terms of use at
www.verisign.com/rpa (c)05, OU=Empire Financial, O="Empire Financial Group,
Inc.", L=L
ongwood, S=Florida, C=US
Thumbprint : 73DA106BFECC1C70614FBBB247085803228A5B6E

This tells me:
#1 That I have one old cert for IMAP and POP - I guess I can just delete
this one?

#2 My cert for SMTP will expire on 7/22/2008 - This is a cert generated by
my HTS/CAS named Gemini during setup I guess.

#3 I have a cert from Verisign for the IMAP, POP, and IIS services

My question is, can I just reassign the SMTP service to use the Verisign
cert? How will this affect my clients? (MAPI, OWA, Outlook Anywhere)

If I can't use the Verisign cert, will I just need to generate a new one
using the New-ExchangeCertificate cmdlet as explained in the event log
message?

Thanks in advance,

Jeff

Bharat Suneja [MSFT]

unread,
Jun 27, 2008, 1:36:10 PM6/27/08
to
You can use the Verisign cert - just make sure the Subject Name matches the
fqdn.

--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
----------------------------


"Jeff7492" <Jeff...@discussions.microsoft.com> wrote in message
news:D126B50F-7A87-45FC...@microsoft.com...

Jeff7492

unread,
Jun 27, 2008, 1:56:00 PM6/27/08
to
Thank you for your response Bharat. That's where there may be a problem.
The verisign cert and cert that is expiring does not match in the Subject
Name as you can see below.

I'm not sure what my options are at this point. Should I just create a new
certificate? Any advise would be appreciated.

Bharat Suneja [MSFT]

unread,
Jun 27, 2008, 2:18:11 PM6/27/08
to
Sure, just have Exchange renew the self-issued certificate in that case.

Exchange Server 2007: Renewing the self-signed certificate
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
----------------------------


"Jeff7492" <Jeff...@discussions.microsoft.com> wrote in message

news:E9B0C053-A581-4682...@microsoft.com...

Jeff7492

unread,
Jun 27, 2008, 2:27:03 PM6/27/08
to
Great! Thanks so much! Great info!
Reply all
Reply to author
Forward
0 new messages