• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1362
  • Last Modified:

Exchange 2007 Event ID 12016

I see in the event log on our Exchange 2007 server ID code 12016 that there is no valid SMTP transport layer security certificate.  When doing a get-exchangecertificate | list I see that there is a certificate that expired two days ago which has SMTP listed as the only service. However I recently renewed for 3 additional years from Go Daddy a certificate that amoung other services has SMTP.  Do I need to get a new certificate for the expired SMTP only certificate?  Or does the Go Daddy certificate that lists SMTP cover this?  Should I just remove the old certificate that expired two days ago. Thanks.
  • 3
1 Solution
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
1- you should renew the certificate then remove old one using command line

remove-exchangeCertificate -thumbprint E91E3C....etc.
then use command
Import-ExchangeCertificate c:\certnew.cer
then use command :
enable-ExchangeCertificate -thumbprint E91E3C2A3 -services IIS,POP,SMTP,IMAP,UM

note thumb print of certificate will be clear in get-exchangeCertificate

good luck
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
something i forget to mention , when godady renew the certificate its renew the expiration without changing Names and alternative names in old certificate , so it will work back after renew
cfwirthAuthor Commented:
Jordan thank for the reply. The old certificate that expired two days ago has a different thumbprint than the certificate issued by Go Daddy.  Should I just remove the old certificate thumbprint only?
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
listen its simple ,

first Step :

 go to powershell then
you will see the result like this :

Thumbprint                                                                    Services         Subject
----------                                                                       --------             -------  
548B218BBCBF45239BD4F00AD19FAA8253B0AB94  IP..S      CN=Exch01
then run :
Remove-ExchangeCertificate -thumbprint 548B218BBCBF45239BD4F00AD19FAA8253B0AB94

then import your new certificate :

Import-ExchangeCertificate -path c:\Example.cer

the certificate details will displayed include thumbprint , if you don't know it or not displayed just run

get-exchangeCertificate , to see the thumbprint of new one , its must be different than old one ,

now just run :

Enable-ExchangeCertificate -thumbprint "548B218BBCBF45239BD4F00AD19FAA8253B0AB94" -services IIS,POP,SMTP,IMAP,UM

then run command


another note , if you faced any problem with import or enable then repair the certificate ...how??

just double click on the certificate -> install certificate

then on certificate - click on details tab -> go to Serial Number attribute , copy the serial number its on the format :
¿0c 80 31 95 c6 b7 65 88 45 bb 14 7a bd 47 ac 8d
then go to cmd and run this command :

certutil  -repairstore My "¿0c 80 31 95 c6 b7 65 88 45 bb 14 7a bd 47 ac 8d"
then back to first step it will work fine ..

this step just incase that import and enable is failed or not working fine...

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now