Chris Swinney
asked on
Certificate Questions - Exchange 2016
If we have valid SSL cerfiticate for server/client authentication, is there any reason to have a TLS certificate?
Asking because I'm receiving the following event frequently in event viewer
"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of exchangecas.cfwebmasters.c om. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of exchangecas.cfwebmasters.c om should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task."
Also should expired certificates be removed?
Exchange-certs.PNG
Asking because I'm receiving the following event frequently in event viewer
"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of exchangecas.cfwebmasters.c
Also should expired certificates be removed?
Exchange-certs.PNG
Above your highlighted cert is another cert and that other is expired - I guess that is what is in use and what the message is talking about.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The certificate that is expired has the following services: imap, pop, SMTP
The certificate with the same name but valid has the services: imap, pop, IIS
Glad i didn't delete that certificate earlier..
Any help with renewing that certificate? I have the thumbprint just never done this before.
The certificate with the same name but valid has the services: imap, pop, IIS
Glad i didn't delete that certificate earlier..
Any help with renewing that certificate? I have the thumbprint just never done this before.
Your old certificate is no more in use now because it is already expired. Assign SMTP service to new certificate.
Enable-ExchangeCertificate -thumbprint newcerticatesthumbprint -services SMTP
It will give warning message type Y and hit enter.
Enable-ExchangeCertificate
It will give warning message type Y and hit enter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good deal! I did that and now see the smtp service on the valid certificate!
Good to remove the old one you think?
Good to remove the old one you think?
Keep it for day or two and verify that event id 12016 will not appear again..
Restart Microsoft Exchange Transport service or Reboot your server and test that your certificate is working by connecting with IE, ActiveSync, or Outlook
Restart Microsoft Exchange Transport service or Reboot your server and test that your certificate is working by connecting with IE, ActiveSync, or Outlook
As I see this valid certificate will expire in 20 days too.
Be prepare to renew it or create new request very soon
Be prepare to renew it or create new request very soon
ASKER
@Tom
I think I'll go ahead and renew it now.
So far everything's good, that or the phones are down haha
I think I'll go ahead and renew it now.
So far everything's good, that or the phones are down haha
Keep certificate ready and install it as well, and assign the services on last day....
ASKER
Thanks Satish!