Tag Archives: event id

Oh no, I’ve got a cert that’s about to expire!

cert001The scenario – you know that your cert is about to expire, you’ve bought a new cert, and you’ve installed it correctly, but you’re still getting an error. Event id 12017, to be exact.

I run

 get-exchangecertificate | fl

which lists the certificates I’ve got installed on this CAS:


There are two certs there – the first listed cert has been issued by an internal certification authority – the “issuer” value is cert.fabrikam.com – and is NOT self signed. I use it for IIS (owa, ecp, outlook anywhere, EAS). The second cert is the original self-signed cert that exchange produces when it’s installed on a server (the issuer is red-cas1, the local server name) and it’s only valid for imap and pop – two services I don’t bother configuring because none of our customers use them.

so lets get all the services onto a certificate that’s not about to expire. I  run

enable-exchangecertificate –thumbprint <thumbprint> -services pop,imap

using the thumbprint of the good certificate. <tip – to copy thumbprints and the like, right click in the powershell window, select mark, then highlight the thumbprint and click enter. Then when you are ready to type the thumbprint, right click anywhere again and hit “paste”>

Now if I run

get-exchangecertificate | fl

again I can see that all the services are now on my new cert, and the old self signed cert is doing nothing:


So now there are no services on the old cert, I can remove it using remove-exchangecertificate –t <thumbprint>


Has it gone? Hell yeah.


Now – here’s a word of warning. It’s perfectly possible to remove a certificate you are using. You get asked are you sure, and if you say “yes”, well… you’re the boss:


And you’ll need to reimport your cert.


In this cmdlet I import an certificate from a password protected .pfx file, which I created by exporting a certificate i’d previously requested on another server – this allows me to use the same certificate on a number of servers (for the same thing, obviously).


I then enable the cert for the required services – the first cmdlet (get-exchangecertificate) gets all the exchange certs on the server, I then run a couple of select cmdlets to create an array of psobjects which only contains the subjects and thumbprints of the original objects where the subject is like mail.fabrikam.com (select thumbprint, subject | ?{$_.subject –like “*mail.fabrikam.com*”}) – I then get the thumbprint of that psobject (select thumbprint)and pass it to the final cmdlet, which enables the chosen cert for iis, imap and pop (enable-exchangecertificate –services iis,imap,pop)

Finally I run get-exchangecertificate | fl  again to make sure that it has taken and the correct services are enabled.

I’d be a pretty sorry feller if I didn’t then run iisreset /restart at some point, to get iis to pick up the new cert.