Solved

Exchange Transport certificate expired.

Posted on 2014-02-11
7
5,632 Views
Last Modified: 2014-04-28
Hi Experts,

We receive an Application log error each 15 minutes. Event ID 12015 source MSExchangeTransport on a SBS 2011 server.

An internal transport certificate expired. Thumbprint:0510983***********************254436C

 System

  - Provider

   [ Name]  MSExchangeTransport
 
  - EventID 12015

   [ Qualifiers]  49156
 
   Level 2
 
   Task 12
 
   Keywords 0x80000000000000
 
  - TimeCreated

   [ SystemTime]  2014-02-11T15:46:24.000000000Z
 
   EventRecordID 485224
 
   Channel Application
 
   Computer SERVER.domain.local
 
   Security
 

- EventData

   0510983************************254436C

When I launch the Get-ExchangeCertificate | List I receive it:

AccessRules        :
CertificateDomains : {remote.domain.com, www.remote.domain.com, autodiscover.dmn.local, autodiscover.domain.com, server01.dmn.local, web.domain.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 12/17/2013 4:28:26 PM
NotBefore          : 12/17/2012 4:28:26 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2B48FA9D210A9F
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=remote.domain.com, OU=Domain Control Validated, O=remote.domain.com
Thumbprint         : 0510983**************************254436C

This is the previous GoDaddy certificate, why does Exchange still use it while the new is apparently working for OWA for example ?

When we go on the OWA, the new certificate is working fine and is valid until end of 2014, when we type https://mail.domain.com/OWA (which is part of the certificate with remote.domain.com, server.domain.local and web.domain.local) from the internet.
Remote.domain.com is configured for ActiveSync and OWA in Exchange but the Host A DNS entry does not exit on the internet, we have to create it but we can't reach the domain host......  
OWA works fine from intranet for remote.domain.com of course.

How can I revoke this old certificate without arm anything in Exchange or SBS 2011 ?


Thank you in advance for your help, best regards,
0
Comment
Question by:jet-info
7 Comments
 
LVL 18

Expert Comment

by:suriyaehnop
ID: 39850872
Do you import the new certificate to exchange and enable services? It seem to me that new certificate is not install on your exchange server. If it is install, get-exchangecertificate will produced with latest certifcate info

http://support.godaddy.com/help/article/4877/installing-an-ssl-certificate-in-microsoft-exchange-server-2007

http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 39850909
Do the following...
- Open Powershell (ESM)
- Run get-exchagnecertificate (verify that your new certificate exists and as stated services are enabled, this also need)
- if the services are not enabled you need to run the below command....
Enable-ExchangeCertificate -Server "exchangeserver" -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'EDF57B5F9D81F1EC329BFB77ADD4465B426A40FB'

Open in new window

- If the appropriate services have been assigned then look for your old cert and do the following...
Remove-ExchangeCertificate -ThumbPrint "old-thumbprint-here"

Open in new window


Will.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39850947
The best option here is to run new-exchangecertificate in EMS, with no other credentials. This will become the transport certificate and contain the internal name that Exchange requires. You can then delete the old certificate as per the instructions above.

Running the fix my network wizard should also resolve the issue in the same way.

Simon.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 39852829
This error will occur when the FQDN you have entered in the send or receive connector doesn’t match with the FQDN names used at your exchange certificates.

you can change the FQDN at the connector to a name available on you certificate or install a new certificate with the right FQDN name.
It can also be that the SMTP service is not bind to the right certificate, in this case you can bind the SMTP service to the certificate using this FQDN.

- See more at:
http://blog.ronnypot.nl/?p=271#sthash.AmlI4F71.dpuf


http://www.expta.com/2010/09/how-to-fix-msexchangetransport-event-id.html
0
 

Author Comment

by:jet-info
ID: 39858809
The send and receive connectors have both an included certificate name (mail.domain.com).
I would try to launch the SBS Wizards when we get the remote.domain.com DNS host A record because this address is set in Exchange for Activesync and OWA. I'll change the connectors FQDN in the same time (remote.domain.com), what do you think ?
I'm currently fighting with the customer's ISP for the host A record...

PS : There is a receive and a send connector for Project Server, the local server FQDN is set in these ones which is included in the SSL certificate, could the error be coming from that connectors ?

Thanks !
0
 

Author Comment

by:jet-info
ID: 39894509
I test it ASAP
0
 

Author Closing Comment

by:jet-info
ID: 40027383
The Will's solution worked for me. I have not been brave enough to test the Simon's one because a message told me that is create a new certificate with a different thumbprint from the GoDaddy one. I am sorry,  I am sure that it works fine since Simon proposed it.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Suggested Solutions

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now