An internal transport certificate will expire soon. Thumbprint:%1, hours remaining: %2

Details
Product: Exchange
Event ID: 12017
Source: MSExchangeTransport
Version: 8.0
Symbolic Name: InternalTransportCertificateExpiresSoon
Message: An internal transport certificate will expire soon. Thumbprint:%1, hours remaining: %2
   
Explanation

This Warning event indicates that the certificate that is used for internal trust with other Microsoft Exchange servers on this computer will expire soon. Internal trust means that Microsoft Exchange Server 2007 uses a self-signed certificate for encryption. Internal refers to the fact that the data paths are between Exchange 2007 servers and within the corporate network that is defined by Active Directory.

When you subscribe an Edge Transport server to the Exchange organization, the Edge Subscription publishes the Edge Transport server certificate in Active Directory for the Hub Transport servers to validate. The Microsoft Exchange EdgeSync service updates ADAM with the set of Hub Transport server certificates for the Edge Transport server to validate.

   
User Action

To resolve this warning, you must use the New-ExchangeCertificate cmdlet to create a new internal transport certificate on the computer that returned this Warning event. Running the New-ExchangeCertificate cmdlet with no arguments creates an SMTP-enabled certificate for direct trust. For more information, see New-ExchangeCertificate.

If this warning occurred on a Hub Transport server, you must create the internal transport certificate on the Hub Transport server where the warning occurred. After you have created the certificate, restart the Microsoft Exchange EdgeSync service to update the certificate information on the Edge Transport servers that are subscribed to the organization.

If this warning occurred on an Edge Transport server, you must create the internal transport certificate on the Edge Transport server where the warning occurred. After you have created the certificate, resubscribe the Edge Transport server to the Exchange organization to update the certificate information in Active Directory.

If you are not running the Microsoft Exchange EdgeSync service, you must manually update the certificate. For more information, see Configuring Mail Flow Between an Edge Transport Server and Hub Transport Servers Without Using EdgeSync.

If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.

Related:

Automatic certificate enrollment for %1 failed to enroll for one %2 certificate (%3). %4

Details
Product: Windows Operating System
Event ID: 13
Source: autoenrollment
Version: 5.2
Symbolic Name: EVENT_ENROLL_FAIL
Message: Automatic certificate enrollment for %1 failed to enroll for one %2 certificate (%3). %4
   
Explanation

The autoenrollment component determined that a valid certificate is not available for the user or computer account. The user or computer account required a new certificate, a certificate was superseded, a certificate was revoked and requires replacement, or a certificate requires renewal.

Possible causes include:

  • No network connectivity is available
  • No domain controller was found
  • No certificate authorities are available
  • No certificate templates contain the READ and ENROLL permission for to the computer or user in Active Directory
   
User Action

Make sure the computer is connected to the network or to the domain controller so it can work with Active Directory, and then, to pulse autoenrollment, type the following at a command prompt:

Gpupdate.exe /force

If this does not fix the problem, infrastructure or configuration changes might be needed. For more information and troubleshooting steps, see Certificate Autoenrolling in Windows 2003 in Microsoft TechNet.

Related:

An internal transport certificate expired. Thumbprint:%1

Details
Product: Exchange
Event ID: 12015
Source: MSExchangeTransport
Version: 8.0
Symbolic Name: InternalTransportCertificateExpired
Message: An internal transport certificate expired. Thumbprint:%1
Explanation
This Warning event indicates that the certificate that was used for internal trust on this computer has expired. Internal trust means that Microsoft Exchange Server 2007 uses a self-signed certificate for encryption. Internal refers to the fact that the data paths are between Exchange 2007 servers and within the corporate network that is defined by Active Directory.

When you subscribe an Edge Transport server to the Exchange organization, the subscription publishes the Edge Transport server certificate in Active Directory for the Hub Transport servers to validate. The Microsoft Exchange EdgeSync service updates ADAM with the set of Hub Transport server certificates for the Edge Transport server to validate.

User Action
To resolve this warning, you must use the New-ExchangeCertificate cmdlet to create a new internal transport certificate (also referred to as a direct trust certificate) on the computer that returned this Warning event. Running the New-ExchangeCertificate cmdlet with no arguments creates a Simple Mail Transfer Protocol (SMTP)-enabled certificate for direct trust. For more information, see New-ExchangeCertificate.

If this warning occurred on a Hub Transport server, you must create the internal transport certificate on the Hub Transport server where the warning occurred. After you have created the certificate, restart the Microsoft Exchange EdgeSync service to update the certificate information on the Edge Transport servers that are subscribed to the organization.

If this warning occurred on an Edge Transport server, you must create the internal transport certificate on the Edge Transport server where the warning occurred. After you have created the certificate, resubscribe the Edge Transport server to the Exchange organization to update the certificate information in Active Directory.

If you are not running the Microsoft Exchange EdgeSync service, you must manually update the certificate. For more information, see Configuring Mail Flow Between an Edge Transport Server and Hub Transport Servers Without Using EdgeSync.

If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.

Related:

Managing certificates with IBM GSKit

This tutorial explains how to set up and use IBM Global Security Kit
(GSKit) for typical certificate management tasks such as self-signed
certificate generation, creation of a Certificate Authority (CA), requesting a
certificate from a third-party CA, and installing certificates for use in SSL
protocols.

Related:

  • No Related Posts

OpenSSL: how to setup an OCSP server for checking third-party certificates?

I am testing the Certificate Revocation functionality of a CMTS device. This requires me to setup a OCSP responder. Since it will only be used for testing I assume that the minimal implementation provided by OpenSSL should suffice.

I have extracted the a certificate from a cable modem, copied it to my PC and converted it to the PEM format. Now I want to register it in the OpenSSL OCSP database and start a server.

I have completed all these steps, but when I do a client request my server invariably responds with “unknown”. It seems to be completely unaware of my certificate’s existence.

I would greatly appreciate if anyone would be willing to have a look at my code. For your convenience, I have created a single script consisting of a sequential list of all used commands, from setting up the CA until starting the server:
http://code.google.com/p/stacked-crooked/source/browse/trunk/Misc/OpenSSL/AllCommands.sh

You can also find the custom config file and the certificate that I am testing with:
http://code.google.com/p/stacked-crooked/source/browse/trunk/Misc/OpenSSL/

Any help would be greatly appreciated.

Related: