{"id":28,"date":"2010-12-28T12:45:39","date_gmt":"2010-12-28T10:45:39","guid":{"rendered":"http:\/\/exchangetimes.wordpress.com\/?p=28"},"modified":"2010-12-28T12:45:39","modified_gmt":"2010-12-28T10:45:39","slug":"renewing-tls-certificate-on-a-hub-transport-server","status":"publish","type":"post","link":"https:\/\/exchangetimes.net\/?p=28","title":{"rendered":"Renewing TLS Certificate on a Hub Transport Server"},"content":{"rendered":"<p>I received\u00a0an event today advising me that the local TLS certificate has expired and needs to be renewed. Here is the event info.<\/p>\n<figure id=\"attachment_29\" aria-describedby=\"caption-attachment-29\" style=\"width: 406px\" class=\"wp-caption alignleft\"><a href=\"http:\/\/exchangetimes.files.wordpress.com\/2010\/12\/capture.gif\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-29\" title=\"Event ID telling us that the local TLS Cert expired\" src=\"http:\/\/exchangetimes.files.wordpress.com\/2010\/12\/capture.gif\" alt=\"\" width=\"406\" height=\"447\" \/><\/a><figcaption id=\"caption-attachment-29\" class=\"wp-caption-text\">TLS Cert Expired Event<\/figcaption><\/figure>\n<div class=\"mceTemp\">We need to renew this Certificate otherwise mailflow in Exchange 2007 will stop working. To do this open Exchange Management Shell and type the following:<\/div>\n<div class=\"mceTemp\"><em><strong>Get-ExchangeCertificate | fl<\/strong><\/em><\/div>\n<div class=\"mceTemp\">You will be presented with all the certs installed on the server. You need to now find the cert that has expired. An example of an expired cert is:<\/div>\n<div class=\"mceTemp\">AccessRules\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {System.Security.AccessControl.CryptoKeyAccessRule, System<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .Security.AccessControl.CryptoKeyAccessRule, System.Securi<br \/>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ty.AccessControl.CryptoKeyAccessRule}<br \/>\nCertificateDomains\u00a0: {XXXX01, XXXX01.domainname.local}<br \/>\nHasPrivateKey\u00a0\u00a0\u00a0\u00a0\u00a0 : True<br \/>\nIsSelfSigned\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True<br \/>\nIssuer\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=SERVER01<br \/>\nNotAfter\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 2010\/12\/28 09:33:12 AM<br \/>\nNotBefore\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 2009\/12\/28 09:33:12 AM<br \/>\nPublicKeySize\u00a0\u00a0\u00a0\u00a0\u00a0 : 2048<br \/>\nRootCAType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Unknown<br \/>\nSerialNumber\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 8E1600C9A48960A64F515084A643CF4D<br \/>\nServices\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : SMTP<br \/>\nStatus\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<strong> : <span style=\"color:#ff0000;\">Invalid<\/span><\/strong><br \/>\nSubject\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=SERVER01<br \/>\nThumbprint\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 459CA3A8D2CE3A300839D6254ACD4A5642F25185<\/div>\n<div class=\"mceTemp\">The easiest way to renew the above certificate is to export the first cmdlet we ran to a text file and then copying the cert. To do that do the following:<\/div>\n<ul>\n<li>\n<div class=\"mceTemp\">\n<div><em><strong>Get-ExchangeCertificate | fl &gt;c:cert.txt<\/strong><\/em><\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"mceTemp\">\n<div>Now open the cert.txt document that you created with the above command and copy the Thumbprint of the expired cert.<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"mceTemp\">\n<div>Then run <em><strong>Get-ExchangeCertificate\u00a0-Thumbprint\u00a0c6289cd8465c99ab249c60f8893jan7d889a4afc\u00a0| New-ExchangeCertificate <\/strong><\/em>where the thumbprint number should be the one you copied from cert.txt. (Just delete the above thumbprint and paste your thumb print in it&#8217;s place)<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"mceTemp\">\n<div>Choose yes to overwrite the old certificate. <span style=\"color:#ff0000;\">(Before you click yes make sure the thumbprint is the same as the one in cert.txt as you do not want to overwrite a different cert)<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"mceTemp\">\n<div>Run <em><strong>Get-ExchangeCertificate | fl <\/strong><\/em>and check the dates and status to see if the new cert was created successfully.<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<p class=\"mceTemp\">\n<div>I used the following URL to assist me with renewing the Cert. There are more info on the article regarding 3rd Party Certs etc.<\/div>\n<div><a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/aa998840(EXCHG.80).aspx\">http:\/\/technet.microsoft.com\/en-us\/library\/aa998840(EXCHG.80).aspx<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>I received\u00a0an event today advising me that the local TLS certificate has expired and needs to be renewed. Here is the event info. We need to renew this Certificate otherwise mailflow in Exchange 2007 will stop working. To do this open Exchange Management Shell and type the following: Get-ExchangeCertificate | fl You will be presented with all the certs installed on the server. You need to now find the cert that has expired. An example of an expired cert is: AccessRules\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : {System.Security.AccessControl.CryptoKeyAccessRule, System \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .Security.AccessControl.CryptoKeyAccessRule, System.Securi \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ty.AccessControl.CryptoKeyAccessRule} CertificateDomains\u00a0: {XXXX01, XXXX01.domainname.local} HasPrivateKey\u00a0\u00a0\u00a0\u00a0\u00a0 : True IsSelfSigned\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : True Issuer\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=SERVER01 NotAfter\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 2010\/12\/28 09:33:12 AM NotBefore\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 2009\/12\/28 09:33:12 AM PublicKeySize\u00a0\u00a0\u00a0\u00a0\u00a0 : 2048 RootCAType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Unknown SerialNumber\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 8E1600C9A48960A64F515084A643CF4D Services\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : SMTP Status\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Invalid Subject\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CN=SERVER01 Thumbprint\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 459CA3A8D2CE3A300839D6254ACD4A5642F25185 The easiest way to renew the above certificate is to export the first cmdlet we ran to a text file and then copying the cert. To do that do the following: Get-ExchangeCertificate | fl &gt;c:cert.txt Now open the cert.txt document that you created with the above command and copy the Thumbprint of the expired cert. Then run Get-ExchangeCertificate\u00a0-Thumbprint\u00a0c6289cd8465c99ab249c60f8893jan7d889a4afc\u00a0| New-ExchangeCertificate where the thumbprint number should be the one you copied from cert.txt. (Just delete the above thumbprint and paste your thumb print in it&#8217;s place) Choose yes to overwrite the old certificate. (Before you click yes make sure the thumbprint is the same as the one in cert.txt as you do not want to overwrite a different cert) Run Get-ExchangeCertificate | fl and check the dates and status to see if the new cert was created successfully. I used the following URL to assist me with renewing the Cert. There are more info on the article regarding 3rd Party Certs etc. http:\/\/technet.microsoft.com\/en-us\/library\/aa998840(EXCHG.80).aspx<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[377,116,117],"class_list":["post-28","post","type-post","status-publish","format-standard","hentry","category-certificates","tag-exchange-2007","tag-renew-certificate","tag-renew-local-tls-certificate"],"_links":{"self":[{"href":"https:\/\/exchangetimes.net\/index.php?rest_route=\/wp\/v2\/posts\/28","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exchangetimes.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exchangetimes.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exchangetimes.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/exchangetimes.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28"}],"version-history":[{"count":0,"href":"https:\/\/exchangetimes.net\/index.php?rest_route=\/wp\/v2\/posts\/28\/revisions"}],"wp:attachment":[{"href":"https:\/\/exchangetimes.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exchangetimes.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exchangetimes.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}