Issue: Exchange 2007 內部傳輸憑證已過期 - 自簽憑證過期

 

所有的新安裝Exchange 2007 & 2010 都會遇到的自簽憑證問題, 且可能每年都會遇到一次, 除非改為內部CA, 且內部CA 到期期限還得先延長, 其中以有起EdgeSync 的架構更新憑證會更麻煩


E2K7
image

E14
image
 

Event Type:    Warning
Event Source:    MSExchangeTransport
Event Category:    TransportService
Event ID:    12015
Date:        10/1/2009
Time:        9:00:57 AM
User:        N/A
Computer:    mail-hub1

Description:
An internal transport certificate expired. Thumbprint:B727A44820E85C4D9A205DAA5316D81C2C3049ED


Event Type:    Error
Event Source:    MSExchangeTransport
Event Category:    TransportService
Event ID:    12014
Date:        10/1/2009
Time:        8:55:25 AM
User:        N/A
Computer:    mail-hub1
Description:
Microsoft Exchange could not find a certificate that contains the domain name mail-hub1.msft.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector 組織內的 SMTP 傳送連接器 with a FQDN parameter of mail-hub1.msft.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

<PS> Get-ExchangeCertificate

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail-hub1, mail-hub1.msft.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail-hub1
NotAfter           : 2008/12/13 下午 02:01:11
NotBefore          : 2007/12/13 下午 02:01:11
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : E0FFE360B2D08B8C404462098EC6A444
Services           : SMTP
Status             : Invalid
Subject            : CN=mail-hub1
Thumbprint         : B727A44820E85C4D9A205DAA5316D81C2C3049ED

 

New-ExchangeCertificate

若要解決此警告,您必須在傳回此警告事件的電腦使用 New-ExchangeCertificate 指令程式建立新的內部傳輸憑證 (也稱為直接信任憑證)。執行不含引數的 New-ExchangeCertificate 指令程式可針對直接信任建立啟用簡易郵件傳送通訊協定 (SMTP) 的憑證。如需相關資訊,請參閱 New-ExchangeCertificate

如果是在 Hub Transport Server 上發生此警告,您必須在發生警告的 Hub Transport Server 上建立內部傳輸憑證。建立此憑證之後,請重新啟動 Microsoft Exchange EdgeSync 服務以更新訂閱至組織之 Edge Transport Server 上的憑證資訊。

 


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {bqt-mb07, bqt-mb07.msft.corp.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=bqt-mb07
NotAfter           : 11/5/2014 2:44:48 PM
NotBefore          : 11/5/2009 2:44:48 PM

PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 4E008E269F4AC0AD42DB9BE030AA5A2A
Services           : SMTP
Status             : Valid
Subject            : CN=bqt-mb07
Thumbprint         : E206BCE8D287B7C1FFBA6E4A47B413E605BD651E

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {bqt-mb07.msft.corp.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=msft_CA, DC=corp, DC=com
NotAfter           : 3/20/2011 10:47:55 AM
NotBefore          : 3/20/2009 10:47:55 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 1105A15B00000000004D
Services           : SMTP
Status             : Valid
Subject            : CN=bqt-mb07.msft.corp.com, O=msft, DC=msft, DC=corp, DC=co
                     m
Thumbprint         : 886A5487F061430A3D2D132B3790A58121D994BE

Renew SelfSigned certificate for EdgeSync

如果是在 Edge Transport Server 發生此警告,您必須在發生警告的 Edge Transport Server 建立內部傳輸憑證。建立憑證之後,請將 Edge Transport Server 重新訂閱至 Exchange 組織,以更新 Active Directory 中的憑證資訊

From your edge server:
1. 產生新的自簽憑證
New-exchangecertificate –service SMTP

2. Remove-EdgeSubscription
Remove-EdgeSubscription 指令程式會移除 Edge 訂閱。移除 Edge 訂閱後,會停止 Active Directory 目錄服務之資訊與 Active Directory 應用程式模式 (ADAM) 的同步處理。會移除儲存在 ADAM 中的所有帳戶,而且會從所有傳送連接器的來源伺服器清單中移除 Edge Transport Server。

Remove-EdgeSubscription -Identity EdgeServerName -DomainController dc.domain.com

3. 產生新的 Edge 訂閱檔
New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"
將 Edge 訂閱檔案複製到要匯入 Edge 訂閱檔案的 Hub Transport Server


From your Hub Transport server:
4. Open Exchange Management Console and go to ”Organization Configuration > Hub Transport > Edge Subscription”
5. Remove the current edge subscription
6. Click New Edge Subscription (right hand task menu)
7. Import the xml file you copied.

From your edge server:
8. Restart Microsoft Exchange ADAM service

From your hub transport server:
9. Open the exchange powershell and perform the following commands:
10. start-edgesynchronization

 

Blog Extended Reading


More Information & Reference

1. 內部傳輸憑證已過期
2. Internal transport certificate has expired – Exchange 2007

image

Comments

Popular posts from this blog

E15 CU3–Update Failed–AD replicated Exceeded the tombstone lifetime.

202301 - Exchange onpreme - PowerShell Serialization Payload Signing

Ticket: RemoteAPP certificate revocation check error