The certificate 'CLIUSR' on server 'servername' is about to expire on 'date'

_{Tuesday, March 24, 2020 6:26 PM}

I have a Exchange 2019 / Server 2019 Core environment set up in an ip-less DAG. I am getting an alert in ECP that says "The certificate 'CLIUSR' on server 'servername' is about to expire on 'date'"

There is not much documentation that i could find that references a certificate issued to CLIUSR, but what I have gathered is that its part of the communication for 2019 clustering, which exchange 2019 uses for its DAG.

There are two certs, with different dates, under CLIUSER.

Issuer    NotBefore           NotAfter             Services

                            


CN=CLIUSR 9/8/2019 9:02:11 PM 10/7/2020 9:02:11 PM     None


CN=CLIUSR 3/7/2019 7:24:50 PM 4/5/2020 8:24:50 PM      None

Is this "normal"? Will things flip over to the valid cert when the other one expires? Or do i need to do anything to support this renewal / change? It appears the newer cert was auto-created 6 months after the cluster was created. But not sure if that is coincidence, etc.

Either way, the warning in the ECP is concerning, or should be suppressed if its not important.

_{Monday, April 6, 2020 2:04 PM ✅Answered}

Windows clustering appears to self-manage these, making the Exchange ECP warnings unnecessary (and a bit scary).

Here are some relevant events to confirm:

Cert auto changing to new cert:

Microsoft-Windows-FailoverClustering/Diagnostic - Event 2049

[Cert] Added new cert of type ClusterSChannel to the store, expiration: 2020/10/07-21:02:11.000

Confirm which cert your cluster is using:
Microsoft-Windows-FailoverClustering/Diagnostic - Event 2049

[Cert] Current cert of type ClusterSChannel from DB is installed, expiration: 2020/10/07-21:02:11.000

And there looks to be it looking for old expired certs and removing them:

Microsoft-Windows-FailoverClustering/Diagnostic - Event 2049

[Cert] DeleteCertFromUserStore: Local user SID : S-1-5-21-565323879-1229761737-3670260998-1002\MY

So nothing to do in exchange, despite the warnings. 

_{Wednesday, March 25, 2020 3:21 AM}

Hi,

I did some research but cannot find any documents describe the CLIUSR certificate with details. Based on my knowledge, this certificate should be related to the cluster. 

We suggest to renew the CLIUSR certificate which is about to expire to make sure your DAG and cluster can work normally.

Regards,

Lydia Zhou

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

_{Wednesday, March 25, 2020 12:54 PM}

Ok, seems like something that others will see as well, given the prominent display in ECP that says its about to expire. I'm guessing it will auto-renew and there seems to be zero documentation whatsoever on how one would even renew it and assign it to the cluster. . 

_{Thursday, March 26, 2020 1:44 AM}

I checked in my test environment and found that the CLIUSER certificate is a self-signed certificate. Actually, there are other self-signed certificates created and installed by Exchange, and they won't auto renew. So, it's suggested to renew the CLIUSER certificate manually. 

You can check these steps to renew a self-signed certificate. You just need to click Renew and OK from EAC: Renew an Exchange self-signed certificate.

Regards, 

Lydia Zhou

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

_{Tuesday, March 31, 2020 3:20 AM}

Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back.

Regards,

Lydia Zhou

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

_{Tuesday, March 31, 2020 12:37 PM}

Thanks, i will know on April 6 whether this auto renews / uses the new certificate or needs any intervention on the Exchange side.

_{Wednesday, April 1, 2020 1:12 AM}

That's OK. If there are any updates, please feel free to post back. Hope everything works well on your side.

Regards,

Lydia Zhou

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

_{Monday, April 6, 2020 7:29 AM}

Any updates so far? If you have solved your problem, could you share with us? Maybe it will help more people with similar problems. 

Regards,

Lydia Zhou

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

_{Tuesday, April 7, 2020 7:37 AM}

Thanks for your sharing. Here is a brief summary for quick reference. Hope this can help more people with similar issues.

Issue Symptom:

I have a Exchange 2019 / Server 2019 Core environment set up in an ip-less DAG. I am getting an alert in ECP that says "The certificate 'CLIUSR' on server 'servername' is about to expire on 'date'"

Is this "normal"? Will things flip over to the valid cert when the other one expires? Or do i need to do anything to support this renewal / change? It appears the newer cert was auto-created 6 months after the cluster was created. 

Suggestions:

Based on my knowledge, this certificate should be related to the cluster. The CLIUSER certificate can be renewed automatically.

Regards,

Lydia Zhou

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.