Event 12016, MSExchangeTransport - renew internal certificate?

K

Kevin

-Windows Server 2008 x64 w SP2

-Exchange 2007 Standard Version 8.1 (Build 240.6)

-Single Server setup

First, there is a lot of detail out there about this event and I have looked

at it but do not fully understand what I should do in this particular

situation. Let me give you a picture of what's going in this case and what

I'm unsure about.

I have repeated events in the application log that states:

"There is no valid SMTP Transport Layer Security (TLS) certificate for the

FQDN of ZOO.hq.mydomain.com. The existing certificate for that FQDN has

expired. The continued use of that FQDN will cause mail flow problems. A new

certificate that contains the FQDN of ZOO.hq.mydomain.com should be installed

on this server as soon as possible. You can create a new certificate by using

the New-ExchangeCertificate task."

The FQDN above is internal. I have a SAN cert of external names and have,

on the pertinent services (EWS, OAB, CAS), set internal and external URLs to

the subjects on the cert. From what I can tell, the only area where this

FQDN shows up is in the "Default ZOO" Receive Connector. It may exist

elsewhere that I'm not seeing. If I try to change the FQDN to the primary

subject name which is listed in my SAN cert, I get the following error:

"When the AuthMechanism paramteter on a Receive connector is set to the

value ExchangeServer, you must set the FQDN parameter on the Receive

connector to one of the following values: the FQDN of the transport server,

the NetBIOS name of the transport server, or $null."

> ...so I seem to be forced to keep it as the internal FQDN of the server.

I recently renewed that SAN cert and I figured everything was working. I

created a new CSR, acquired the cert, installed and enabled it, and removed

the old one. I'm thinking the timing is just a red herring. These events

date back prior to the renewal.

When I list the Exchange certs from EMS using "Get-ExchangeCertificate | fl

*" the certificate with Subject matching the above FQDN shows a "NotAfter"

date of 7/11/2011 so it's not expired. The only thing listed next to

"Services" is UM.

So at this point, it looks to me like the certificate does exist on the

server (it's bound to UM, which we're not using anyway at this point) and

that it's not expired.

So what's next to get rid of this event?

Thanks a lot in advance.
 
K

Kevin

No nibbles on this? Bump.

Kevin

"Kevin" wrote:


> -Windows Server 2008 x64 w SP2
> -Exchange 2007 Standard Version 8.1 (Build 240.6)
> -Single Server setup

> First, there is a lot of detail out there about this event and I have looked
> at it but do not fully understand what I should do in this particular
> situation. Let me give you a picture of what's going in this case and what
> I'm unsure about.

> I have repeated events in the application log that states:

> "There is no valid SMTP Transport Layer Security (TLS) certificate for the
> FQDN of ZOO.hq.mydomain.com. The existing certificate for that FQDN has
> expired. The continued use of that FQDN will cause mail flow problems. A new
> certificate that contains the FQDN of ZOO.hq.mydomain.com should be installed
> on this server as soon as possible. You can create a new certificate by using
> the New-ExchangeCertificate task."

> The FQDN above is internal. I have a SAN cert of external names and have,
> on the pertinent services (EWS, OAB, CAS), set internal and external URLs to
> the subjects on the cert. From what I can tell, the only area where this
> FQDN shows up is in the "Default ZOO" Receive Connector. It may exist
> elsewhere that I'm not seeing. If I try to change the FQDN to the primary
> subject name which is listed in my SAN cert, I get the following error:

> "When the AuthMechanism paramteter on a Receive connector is set to the
> value ExchangeServer, you must set the FQDN parameter on the Receive
> connector to one of the following values: the FQDN of the transport server,
> the NetBIOS name of the transport server, or $null."

> ...so I seem to be forced to keep it as the internal FQDN of the server.

> I recently renewed that SAN cert and I figured everything was working. I
> created a new CSR, acquired the cert, installed and enabled it, and removed
> the old one. I'm thinking the timing is just a red herring. These events
> date back prior to the renewal.

> When I list the Exchange certs from EMS using "Get-ExchangeCertificate | fl
> *" the certificate with Subject matching the above FQDN shows a "NotAfter"
> date of 7/11/2011 so it's not expired. The only thing listed next to
> "Services" is UM.

> So at this point, it looks to me like the certificate does exist on the
> server (it's bound to UM, which we're not using anyway at this point) and
> that it's not expired.

> So what's next to get rid of this event?

> Thanks a lot in advance.
>
 

Similar threads

Top