TLS Certificate Error in Exchange

I noticed recently in the Event Viewer that there are a number or errors with the source MSExchangeTransport. It is usually just 2 errors but they show up every 5 minutes and have the IDs of 12015 and 12016. Below are descriptions. Mail seems to be going out ok so I'm not sure what the issue is.

An internal transport certificate expired. Thumbprint:2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of domain.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of domain.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
Who is Participating?
Ahmed786Connect With a Mentor Commented:
Simply you can execute below command and it may resolve your query.

1. Open "Exchange Management Shell".
2. Write "get-ExchangeCertificate" and press on "Enter" button.
3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
4. Review the current certificate that use by the Exchange server and
         each certificate function.
5. Write "Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"
       and press on 'Enter" button.

•The value of -Thumbprint obtained in stage 3.

6. Restart the Exchange server.
If you arent using a 3rd party cert, you can simply run new-exchangecertificate and it will create a new one for you with a self-signed cert.

To check the certificate information of the Exchange server, we can run the following command: Get-exchangecertificate |fl
To check if the certificate is valid, we can check the property status.
To check the host names, we can check the property CertifictaeDomains.
To check if it’s a self-signed certificate, we can check the property IsSelfSigned.
To check if it’s a 3rd party, we can check the property Issuer.

Additionally, here are more references about the errors:
Event 12015
Event 12016
itmoonlighterAuthor Commented:
I don't believe it's issued by a 3rd party. I found the certificate that had the thumbprint that's getting an error in the logs and pasted the details below.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, servername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-servername-CA
NotAfter           : 12/4/2013 1:29:32 PM
NotBefore          : 12/5/2011 1:29:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61038703000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Simon Butler (Sembee)ConsultantCommented:
Just create a new certificate using new-exchangecertificate
That will be suitable for transport use.
Then remove the old certificates using remove-exchangecertificate

I don't see any point in cloning the old certificate.

If you are using Outlook Anywhere or ActiveSync then you should have a trusted certificate on the server.

itmoonlighterAuthor Commented:
We are using ActiveSync and have a certificate from Go Daddy. It won't effect that, will it?
Simon Butler (Sembee)ConsultantCommented:
If you do exactly what I have said, then no.
The new certificate is only enabled for SMTP, which is used by TLS.

Although if you have a trusted SSL certificate from GoDaddy then you should only have one certificate with "I" in services when you run get-exchangecertificate - your trusted one.

Cris HannaCommented:
You should be able to fix this simply by running the Fix my network wizard on the SBS console
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.