No announcement yet.

Event ID: 12017 & 12018 STARTTLS certificate expire

  • Filter
  • Time
  • Show
Clear All
new posts

  • Event ID: 12017 & 12018 STARTTLS certificate expire


    in the last couple days I am getting the following message in my application log on my Exchange 2007 server

    The STARTTLS certificate will expire soon: subject: mailserver.doamin.local, hours remaining: 90C0654B16782B2789652A7634EA732CC4F34BD3. Run the New-ExchangeCertificate cmdlet to create a new certificate

    why im getting it?
    is there a way to keep the old certificate without creating new one(many users connecting remotely via RPCoverHTTP)?


  • #2
    Re: Event ID: 12017 & 12018 STARTTLS certificate expire


    I have seen such kind of issues if theres problems in loading of the certificate thats used for starttls processes..Things we might check may be....

    ---> A certificate from an untrusted authority has been installed
    ---> A public FQDN has been defined on an Exchange 2007 Hub or Edge server's receive or send connector and there is no certificate installed with a matching public FQDN under the certificate domains field.
    -----> A third party certificate which contains a matching public FQDN but the certificate is not enabled for the SMTP service.

    Check certificate configurations and use these commands

    Get-ExchangeCertificate | fl *...There are two other commands for send and recieve connector..which I donot rememberu may google them out

    Once u have the outputs

    Then compare the fqdns in the event id to the fqdns on the connectors(send & recieve)...and certificate domain.
    Check if the FQDN's have been configured on the connectors and whether there is a certificate installed that has a matching CertificateDomain and is the SMTP service enabled on the certificate...

    I hope the explanation is enuf..(Tried my best)

    Fazal Zaidi
    MCITP-Windows 2008,Exchange 2010,MCTS-Exchange 2007,2010,Lync 2010,MCSE-2000,2003,MCSA-2003,2008,2012,MCP,MCSE -Messaging 2013,ITIL


    • #3
      Re: Event ID: 12017 & 12018 STARTTLS certificate expire

      To answer your specific question - no you cannot keep the certificate. It has an expiry date and that is fixed. It cannot be extended. When the certificate expires then the remote clients will fail to work.

      What you need to do next depends on what type of certificate it is.

      If it is a commercial SSL certificate then you just need to replace it.
      If you have used the self generated certificate then you need to start to plan how to replace it.

      The best way would be to acquire a commercial SSL certificate. That will avoid the need to visit the users, as long as they are using a valid name in their RPC over HTTPs/Outlook Anywhere configuration.

      Trying not to sound like my mother, but if you had deployed Exchange correctly, using a commercial SSL certificate then you wouldn't have this problem. Considering you can get SAN/UC certificates for less than US$100/year, trying to use self generated certificates is a false economy.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: Event ID: 12017 & 12018 STARTTLS certificate expire

        Thanks A Lot For Your Answers!!
        Very Helpful