Issue: Exchange 2007 內部傳輸憑證已過期 - 自簽憑證過期

-

 

所有的新安裝Exchange 2007 & 2010 都會遇到的自簽憑證問題, 且可能每年都會遇到一次, 除非改為內部CA, 且內部CA 到期期限還得先延長, 其中以有起EdgeSync 的架構更新憑證會更麻煩


E2K7
image

E14
image
 

Event Type:    Warning
Event Source:    MSExchangeTransport
Event Category:    TransportService
Event ID:    12015
Date:        10/1/2009
Time:        9:00:57 AM
User:        N/A
Computer:    mail-hub1

Description:
An internal transport certificate expired. Thumbprint:B727A44820E85C4D9A205DAA5316D81C2C3049ED


Event Type:    Error
Event Source:    MSExchangeTransport
Event Category:    TransportService
Event ID:    12014
Date:        10/1/2009
Time:        8:55:25 AM
User:        N/A
Computer:    mail-hub1
Description:
Microsoft Exchange could not find a certificate that contains the domain name mail-hub1.msft.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector 組織內的 SMTP 傳送連接器 with a FQDN parameter of mail-hub1.msft.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

<PS> Get-ExchangeCertificate

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail-hub1, mail-hub1.msft.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail-hub1
NotAfter           : 2008/12/13 下午 02:01:11
NotBefore          : 2007/12/13 下午 02:01:11
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : E0FFE360B2D08B8C404462098EC6A444
Services           : SMTP
Status             : Invalid
Subject            : CN=mail-hub1
Thumbprint         : B727A44820E85C4D9A205DAA5316D81C2C3049ED

 

New-ExchangeCertificate

若要解決此警告,您必須在傳回此警告事件的電腦使用 New-ExchangeCertificate 指令程式建立新的內部傳輸憑證 (也稱為直接信任憑證)。執行不含引數的 New-ExchangeCertificate 指令程式可針對直接信任建立啟用簡易郵件傳送通訊協定 (SMTP) 的憑證。如需相關資訊,請參閱 New-ExchangeCertificate

如果是在 Hub Transport Server 上發生此警告,您必須在發生警告的 Hub Transport Server 上建立內部傳輸憑證。建立此憑證之後,請重新啟動 Microsoft Exchange EdgeSync 服務以更新訂閱至組織之 Edge Transport Server 上的憑證資訊。

 


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {bqt-mb07, bqt-mb07.msft.corp.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=bqt-mb07
NotAfter           : 11/5/2014 2:44:48 PM
NotBefore          : 11/5/2009 2:44:48 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 4E008E269F4AC0AD42DB9BE030AA5A2A
Services           : SMTP
Status             : Valid
Subject            : CN=bqt-mb07
Thumbprint         : E206BCE8D287B7C1FFBA6E4A47B413E605BD651E

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {bqt-mb07.msft.corp.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=msft_CA, DC=corp, DC=com
NotAfter           : 3/20/2011 10:47:55 AM
NotBefore          : 3/20/2009 10:47:55 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 1105A15B00000000004D
Services           : SMTP
Status             : Valid
Subject            : CN=bqt-mb07.msft.corp.com, O=msft, DC=msft, DC=corp, DC=co
                     m
Thumbprint         : 886A5487F061430A3D2D132B3790A58121D994BE

Renew SelfSigned certificate for EdgeSync

如果是在 Edge Transport Server 發生此警告,您必須在發生警告的 Edge Transport Server 建立內部傳輸憑證。建立憑證之後,請將 Edge Transport Server 重新訂閱至 Exchange 組織,以更新 Active Directory 中的憑證資訊

From your edge server:
1. 產生新的自簽憑證
New-exchangecertificate –service SMTP

2. Remove-EdgeSubscription
Remove-EdgeSubscription 指令程式會移除 Edge 訂閱。移除 Edge 訂閱後,會停止 Active Directory 目錄服務之資訊與 Active Directory 應用程式模式 (ADAM) 的同步處理。會移除儲存在 ADAM 中的所有帳戶,而且會從所有傳送連接器的來源伺服器清單中移除 Edge Transport Server。

Remove-EdgeSubscription -Identity EdgeServerName -DomainController dc.domain.com

3. 產生新的 Edge 訂閱檔
New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"
將 Edge 訂閱檔案複製到要匯入 Edge 訂閱檔案的 Hub Transport Server


From your Hub Transport server:
4. Open Exchange Management Console and go to ”Organization Configuration > Hub Transport > Edge Subscription”
5. Remove the current edge subscription
6. Click New Edge Subscription (right hand task menu)
7. Import the xml file you copied.

From your edge server:
8. Restart Microsoft Exchange ADAM service

From your hub transport server:
9. Open the exchange powershell and perform the following commands:
10. start-edgesynchronization

 

Blog Extended Reading


More Information & Reference

1. 內部傳輸憑證已過期
2. Internal transport certificate has expired – Exchange 2007

image

Comments

Post a Comment

Popular posts from this blog

E15 CU3–Update Failed–AD replicated Exceeded the tombstone lifetime.

-
Image
  Exchange 2013 CU3 The naming context is in the process of being removed or is not replicated http://technet.microsoft.com/en-us/library/replication-error-8452-the-naming-context-is-in-the-process-of-being-removed-or-is-not-replicated-from-the-specified-server(v=ws.10).aspx   C:\> REPADMIN /SHOWREPS Root\RDC01 DSA Options: IS_GC Site Options: (none) DSA object GUID: f1694974-47c4-4555-a214-db3c86854aeb DSA invocationID: f1694974-47c4-4555-a214-db3c86854aeb ==== INBOUND NEIGHBORS ====================================== CN=Schema,CN=Configuration,DC=lab7,DC=root     TW\AD02 via RPC         DSA object GUID: bfcc1053-e1da-46fd-8b9d-179c79921331         Last attempt @ 2013-12-19 17:
Read more

202301 - Exchange onpreme - PowerShell Serialization Payload Signing

-
Image
Released: January 2023 Exchange Server Security Updates https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808 https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ 1.  Update KB5022143 (Exchange SU) 2. Run latest HealthCherker 3.  PowerShell Serialization Payload Signing https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ Certificate signing of PowerShell serialization payload in Exchange Server https://support.microsoft.com/en-us/topic/certificate-signing-of-powershell-serialization-payload-in-exchange-server-90fbf219-b0dd-4b2c-8a68-9d73b3309eb1 4.  MonitorExchangeAuthCertificate    https://microsoft.github.io/CSS-Exchange/Admin/MonitorExchangeAuthCertificate/ 5.                 New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true&qu
Read more

E14–Bulk Create Mail Contact & Set-Contact

-
Image
  http://community.office365.com/en-us/w/exchange/579.aspx     Get-Contact | Export-Csv c:\temp\contact.csv Get-MailContact | Export-Csv c:\temp\Mailcontact.csv   [PS] Import-Csv .\Contact_Source.csv | % {New-MailContact -Name $_.Name -DisplayName $_.DisplayName -ExternalEmailAddress $_.ExternalEmailAddress -Alias $_.Alias -PrimarySmtpAddress $_.PrimarySMTPAddress -OrganizationalUnit "Contacts" -WhatIf }   [PS] >$Contacts = Import-Csv .\Contact_final.csv [PS] >$Contacts | foreach {Set-Contact $_.Name -Company $_.Company -Department $_.Department -Office $_.Office -Phone $_.Phone }
Read more