Monday, 16 February 2009

Exchange 2007: An internal transport certificate expired

I guess the main reason for this posting is more informative than to help people solve this but I was astounded when I did more digging into it. I had users calling me saying they were receiving Exchange dialogue boxes telling them the certificate was invalid or had expired.

Following up I found the below in Event Viewer:

Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 16/02/2009
Time: 09:18:53
User: N/A
Computer: SERVER2K3-SBS
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name server2k3-sbs.DOMAIN.internal in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVER2K3-SBS with a FQDN parameter of server2k3-sbs.DOMAIN.internal. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12015
Date: 16/02/2009
Time: 09:18:53
User: N/A
Computer: SERVER2K3-SBS
Description:
An internal transport certificate expired. Thumbprint:C7635A3F281FD2CB8E046A19D19************

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


It would appear that Microsoft have now put in place a 1 year certificate expiration for Exchange 2007, meaning that quite simply every year users will see this message until you manually recreate the certificate. The way around this is to obviously purchase a certificate from a higher authority but not everyone wants to pay out on something they see no sense in having.

to rebuild this certificate simply go into Exchange Management Shell and then type:
"New-ExchangeCertificate" followed by "Y" to confirm.



More resources and info on this can be found in the following links:
New Exchange Cmdlet

Certificate Use in Exchange 2007

No comments:

Post a Comment