Solved

Exchange Certificates - How I know which is the certificate to be renewed?

Posted on 2011-03-22
17
722 Views
Last Modified: 2012-05-11
Hello masters,

   On My server I was verificate the certificates with command Get-ExchangeCertificate and I got some certificates.  But I´m not sure which certificate I need to renew, because there are two of the same name.
    I need renew because  when I open ms outllok the folow message appears ( The Security certificate has Expired or is not yet valid)
     Please verify the .xlsx file Certificates - Tmunbprint.
          Can you help me please.


Thank you
Marcio Santos
 Certificates.xlsx
0
Comment
Question by:ms_ps2004
  • 8
  • 7
  • 2
17 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35189983
from the Exchange Management Console run:

Get-ExchangeCertificates | fl IsSelfSigned, Subject, NotAfter, ThumbPrint

The NotAfter field is the expiration date.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35190054
open your mmc

start run -> mmc -> add remove snapins -> certificates -> computer certificates


check the personal store and see the expiry dates, any one that has expired you can delete it
0
 

Author Comment

by:ms_ps2004
ID: 35192872
Thank you by support demazter / Akhater

I executed the command and I got the following results, please see the attachment file.

Thank you
Get-ExchangeCertificate2.docx
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35193926
you have quite a few expired however to answer more accurately you need to run  

Get-ExchangeCertificates | fl Subject, NotAfter, ThumbPrint, Services

check which one is assigned to the IIS  service this is the one you want to renew
0
 

Author Comment

by:ms_ps2004
ID: 35336128
Sorry for the delayed response personnel.

I ran the commands and checked all sertificados, but still do not know what I have to upgrade.

Please could you help me?

Thanks.
Marcio Santos
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35336185
Can you post the output of:

Get-ExchangeCertificates | fl Subject, NotAfter, ThumbPrint, Services
0
 

Author Comment

by:ms_ps2004
ID: 35337581
[PS] C:\>Get-ExchangeCertificate | fl Subject, NotAfter, ThumbPrint, Services


Subject    : CN=spo2k3mx01, DC=unifi, DC=br
NotAfter   : 24/3/2012 01:21:51
Thumbprint : 3BF07F76F94033DA5C316794F0DA0B7532FE5F29
Services   : None

Subject    : CN=alf2k3mx03, DC=unifi, DC=br
NotAfter   : 4/1/2012 20:58:33
Thumbprint : 97D957221B12FB77227771962B1FD32D4DE8DB74
Services   : None

Subject    : CN=spo2k3mx01, DC=unifi, DC=br
NotAfter   : 4/1/2016 11:44:20
Thumbprint : D75F533C328511335C2C5065EDA3A6E8DA86DAB6
Services   : None

Subject    : CN=spo2k3mx01.unifi.br
NotAfter   : 2/3/2011 17:45:32
Thumbprint : 18763C51E9B23A3FAA12A0B2F3CCC3AEF2BAC08A
Services   : IIS, SMTP

Subject    : CN=Unifi.br, O=Unifi, DC=Unifi, DC=br
NotAfter   : 16/2/2011 13:36:28
Thumbprint : B10763803A3F3C2A3A633A5E51C6CFB5B7A221E4
Services   : IMAP, POP

Subject    : CN=spo2k3mx01.unifi.br
NotAfter   : 30/12/2009 19:02:11
Thumbprint : 8E1D3A32009DCD3D3B5759FD1BB1AAEF9699C081
Services   : SMTP

Subject    : CN=spo2k3mx01
NotAfter   : 19/12/2010 13:54:20
Thumbprint : 0514B9BE28988B3DA5906D34A9CD6DCF154746B4
Services   : None

Subject    : CN=spo2k3mx01, DC=unifi, DC=br
NotAfter   : 4/1/2016 11:43:20
Thumbprint : 05263E0FE5335B538659DE8628FE12E8C4EB8B03
Services   : SMTP

Subject    : CN=spo2k3mx01, DC=unifi, DC=br
NotAfter   : 19/12/2013 14:01:56
Thumbprint : 49CBA4A430D23C0C8D9C683A3768D5252B24FB2A
Services   : SMTP

Subject    : CN=webmail.unifi.com.br, OU=Tecnologia, O=Unifi do Brasil Ltda., L=Sao Paulo, S=SP, C=BR
NotAfter   : 6/2/2012 20:59:59
Thumbprint : B58C1F3530159D662C0CCB992194CA53D6BD0EBD
Services   : IIS

Subject    : CN=webmail.unifi.com.br, OU=Tecnologia, O=Unifi do Brasil Ltda., L=Sao Paulo, S=SP, C=BR
NotAfter   : 2/12/2009 20:32:34
Thumbprint : 1F951364330D57E58FC03FAAB91F040C0B8C17BA
Services   : None

Subject    : CN=spo2k3mx01
NotAfter   : 1/12/2009 11:55:07
Thumbprint : 77579B5E11DC033D4EB44C67D4E1B5EB677DC5EB
Services   : SMTP

Subject    : CN=spo2k3mx01
NotAfter   : 1/12/2009 11:41:14
Thumbprint : AE3E5403DF5D14C8D987626418D461E8EEAE7BF2
Services   : None
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35340310
You have 2 certificates being used by IIS, one that expires 6/2/2012 and the other that expired 2/3/2011 which is a self signed one.
Which are you trying to renew?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:ms_ps2004
ID: 35341412
When I consult on my outlook´s message, it's 2/03/2011 spo2k3mx01.unifi.br.

I afraid to renew the wrong certificate and stop the send of messages.

I belive that this certificate is internal, but I don,t know if this certificate work with others services.

Thank you very much

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35341538
That is this one:

Subject    : CN=spo2k3mx01.unifi.br
NotAfter   : 2/3/2011 17:45:32
Thumbprint : 18763C51E9B23A3FAA12A0B2F3CCC3AEF2BAC08A
Services   : IIS, SMTP


But you also have this one:

Subject    : CN=webmail.unifi.com.br, OU=Tecnologia, O=Unifi do Brasil Ltda., L=Sao Paulo, S=SP, C=BR
NotAfter   : 6/2/2012 20:59:59
Thumbprint : B58C1F3530159D662C0CCB992194CA53D6BD0EBD
Services   : IIS

Which is servicing IIS and still valid.
0
 

Author Comment

by:ms_ps2004
ID: 35341656
I checked the IS and I see the following structure.
Applications Pools
Web Sites
Web Services Extensions

On Web Sites have "Default Web site" and "External".

Default web site have the certificate expired (spo2k3mx01.unifi.br) in all objects(Autodiscover, OWA).

On External have the certificate ok (webmail.unifi.com.br).

I need to renew spo2k3mx01.unifi.br and to install in IS

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35341664
I would suggest taking a look at this utility in my blog here: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/

It's for managing certificates, and it will help you to renew the self signed certificate you have now.
0
 

Author Comment

by:ms_ps2004
ID: 35341670
On Event view appers the messages?

Event ID 12016

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of spo2k3mx01.unifi.br. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of spo2k3mx01.unifi.br should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

Event Id 12015
An internal transport certificate expired. Thumbprint:18763C51E9B23A3FAA12A0B2F3CCC2AEF2BAC08A



0
 

Author Comment

by:ms_ps2004
ID: 35341703
Don't worry with the diferent number on tumbprint.

Thank you
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35341706
please see comment ID: http:#35341664
0
 

Author Comment

by:ms_ps2004
ID: 35342028
Yes, I saw. I will renew this certificate.

I have one more question.

I will to run command to renew certificate and  after this action, I need to install the certificate on other place? (IS)

Master demazter, I will search the command to renew the certificate.

I could leave this topic opened? If I have need more help, I post here again.

Thank you very much
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35342127
The tool will do everything for you, there is no need to do anything else.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now