• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8403
  • Last Modified:

Exchange Transport certificate expired.

Hi Experts,

We receive an Application log error each 15 minutes. Event ID 12015 source MSExchangeTransport on a SBS 2011 server.

An internal transport certificate expired. Thumbprint:0510983***********************254436C


  - Provider

   [ Name]  MSExchangeTransport
  - EventID 12015

   [ Qualifiers]  49156
   Level 2
   Task 12
   Keywords 0x80000000000000
  - TimeCreated

   [ SystemTime]  2014-02-11T15:46:24.000000000Z
   EventRecordID 485224
   Channel Application
   Computer SERVER.domain.local

- EventData


When I launch the Get-ExchangeCertificate | List I receive it:

AccessRules        :
CertificateDomains : {remote.domain.com, www.remote.domain.com, autodiscover.dmn.local, autodiscover.domain.com, server01.dmn.local, web.domain.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 12/17/2013 4:28:26 PM
NotBefore          : 12/17/2012 4:28:26 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2B48FA9D210A9F
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=remote.domain.com, OU=Domain Control Validated, O=remote.domain.com
Thumbprint         : 0510983**************************254436C

This is the previous GoDaddy certificate, why does Exchange still use it while the new is apparently working for OWA for example ?

When we go on the OWA, the new certificate is working fine and is valid until end of 2014, when we type https://mail.domain.com/OWA (which is part of the certificate with remote.domain.com, server.domain.local and web.domain.local) from the internet.
Remote.domain.com is configured for ActiveSync and OWA in Exchange but the Host A DNS entry does not exit on the internet, we have to create it but we can't reach the domain host......  
OWA works fine from intranet for remote.domain.com of course.

How can I revoke this old certificate without arm anything in Exchange or SBS 2011 ?

Thank you in advance for your help, best regards,
2 Solutions
Do you import the new certificate to exchange and enable services? It seem to me that new certificate is not install on your exchange server. If it is install, get-exchangecertificate will produced with latest certifcate info


Will SzymkowskiSenior Solution ArchitectCommented:
Do the following...
- Open Powershell (ESM)
- Run get-exchagnecertificate (verify that your new certificate exists and as stated services are enabled, this also need)
- if the services are not enabled you need to run the below command....
Enable-ExchangeCertificate -Server "exchangeserver" -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'EDF57B5F9D81F1EC329BFB77ADD4465B426A40FB'

Open in new window

- If the appropriate services have been assigned then look for your old cert and do the following...
Remove-ExchangeCertificate -ThumbPrint "old-thumbprint-here"

Open in new window

Simon Butler (Sembee)ConsultantCommented:
The best option here is to run new-exchangecertificate in EMS, with no other credentials. This will become the transport certificate and contain the internal name that Exchange requires. You can then delete the old certificate as per the instructions above.

Running the fix my network wizard should also resolve the issue in the same way.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Md. MojahidCommented:
This error will occur when the FQDN you have entered in the send or receive connector doesn’t match with the FQDN names used at your exchange certificates.

you can change the FQDN at the connector to a name available on you certificate or install a new certificate with the right FQDN name.
It can also be that the SMTP service is not bind to the right certificate, in this case you can bind the SMTP service to the certificate using this FQDN.

- See more at:

jet-infoAuthor Commented:
The send and receive connectors have both an included certificate name (mail.domain.com).
I would try to launch the SBS Wizards when we get the remote.domain.com DNS host A record because this address is set in Exchange for Activesync and OWA. I'll change the connectors FQDN in the same time (remote.domain.com), what do you think ?
I'm currently fighting with the customer's ISP for the host A record...

PS : There is a receive and a send connector for Project Server, the local server FQDN is set in these ones which is included in the SSL certificate, could the error be coming from that connectors ?

Thanks !
jet-infoAuthor Commented:
I test it ASAP
jet-infoAuthor Commented:
The Will's solution worked for me. I have not been brave enough to test the Simon's one because a message told me that is create a new certificate with a different thumbprint from the GoDaddy one. I am sorry,  I am sure that it works fine since Simon proposed it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now