Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange Transport certificate expired.

Posted on 2014-02-11
7
Medium Priority
?
7,768 Views
Last Modified: 2014-04-28
Hi Experts,

We receive an Application log error each 15 minutes. Event ID 12015 source MSExchangeTransport on a SBS 2011 server.

An internal transport certificate expired. Thumbprint:0510983***********************254436C

 System

  - Provider

   [ Name]  MSExchangeTransport
 
  - EventID 12015

   [ Qualifiers]  49156
 
   Level 2
 
   Task 12
 
   Keywords 0x80000000000000
 
  - TimeCreated

   [ SystemTime]  2014-02-11T15:46:24.000000000Z
 
   EventRecordID 485224
 
   Channel Application
 
   Computer SERVER.domain.local
 
   Security
 

- EventData

   0510983************************254436C

When I launch the Get-ExchangeCertificate | List I receive it:

AccessRules        :
CertificateDomains : {remote.domain.com, www.remote.domain.com, autodiscover.dmn.local, autodiscover.domain.com, server01.dmn.local, web.domain.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 12/17/2013 4:28:26 PM
NotBefore          : 12/17/2012 4:28:26 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2B48FA9D210A9F
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=remote.domain.com, OU=Domain Control Validated, O=remote.domain.com
Thumbprint         : 0510983**************************254436C

This is the previous GoDaddy certificate, why does Exchange still use it while the new is apparently working for OWA for example ?

When we go on the OWA, the new certificate is working fine and is valid until end of 2014, when we type https://mail.domain.com/OWA (which is part of the certificate with remote.domain.com, server.domain.local and web.domain.local) from the internet.
Remote.domain.com is configured for ActiveSync and OWA in Exchange but the Host A DNS entry does not exit on the internet, we have to create it but we can't reach the domain host......  
OWA works fine from intranet for remote.domain.com of course.

How can I revoke this old certificate without arm anything in Exchange or SBS 2011 ?


Thank you in advance for your help, best regards,
0
Comment
Question by:jet-info
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 19

Expert Comment

by:suriyaehnop
ID: 39850872
Do you import the new certificate to exchange and enable services? It seem to me that new certificate is not install on your exchange server. If it is install, get-exchangecertificate will produced with latest certifcate info

http://support.godaddy.com/help/article/4877/installing-an-ssl-certificate-in-microsoft-exchange-server-2007

http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1600 total points
ID: 39850909
Do the following...
- Open Powershell (ESM)
- Run get-exchagnecertificate (verify that your new certificate exists and as stated services are enabled, this also need)
- if the services are not enabled you need to run the below command....
Enable-ExchangeCertificate -Server "exchangeserver" -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'EDF57B5F9D81F1EC329BFB77ADD4465B426A40FB'

Open in new window

- If the appropriate services have been assigned then look for your old cert and do the following...
Remove-ExchangeCertificate -ThumbPrint "old-thumbprint-here"

Open in new window


Will.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 39850947
The best option here is to run new-exchangecertificate in EMS, with no other credentials. This will become the transport certificate and contain the internal name that Exchange requires. You can then delete the old certificate as per the instructions above.

Running the fix my network wizard should also resolve the issue in the same way.

Simon.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39852829
This error will occur when the FQDN you have entered in the send or receive connector doesn’t match with the FQDN names used at your exchange certificates.

you can change the FQDN at the connector to a name available on you certificate or install a new certificate with the right FQDN name.
It can also be that the SMTP service is not bind to the right certificate, in this case you can bind the SMTP service to the certificate using this FQDN.

- See more at:
http://blog.ronnypot.nl/?p=271#sthash.AmlI4F71.dpuf


http://www.expta.com/2010/09/how-to-fix-msexchangetransport-event-id.html
0
 

Author Comment

by:jet-info
ID: 39858809
The send and receive connectors have both an included certificate name (mail.domain.com).
I would try to launch the SBS Wizards when we get the remote.domain.com DNS host A record because this address is set in Exchange for Activesync and OWA. I'll change the connectors FQDN in the same time (remote.domain.com), what do you think ?
I'm currently fighting with the customer's ISP for the host A record...

PS : There is a receive and a send connector for Project Server, the local server FQDN is set in these ones which is included in the SSL certificate, could the error be coming from that connectors ?

Thanks !
0
 

Author Comment

by:jet-info
ID: 39894509
I test it ASAP
0
 

Author Closing Comment

by:jet-info
ID: 40027383
The Will's solution worked for me. I have not been brave enough to test the Simon's one because a message told me that is create a new certificate with a different thumbprint from the GoDaddy one. I am sorry,  I am sure that it works fine since Simon proposed it.
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question