Showing results for 
Search instead for 
Did you mean: 

CPQ certificate is expired

Dustin Anderson

So, we started getting this error yesterday:

If your email gateway is experiencing issues when delivering messages to Centralized Policy Quarantine (CPQ) and you received an alert that indicates that the CPQ certificate is expired, make sure you execute the updatepvocert CLI command on the Security Management Appliance to fix this issue. You can ignore this notification if you have not enabled CPQ or have already corrected it.


I followed and did the command to regenerate, but I am still getting the error and getting emails from the email firewalls. Am I missing something?

> updatepvocert

This command recreates a Policy, Virus, and Outbreak Quarantines certificate
and key of strength 2048 bits.
The new certificate is also signed by a CA of strength 2048 bits.
One of the internal services restarts after the certificate update. There is no
commit required.
Do you want to proceed with the certificate update? [Y]> y

The certificate update is successful.
. An internal service restart is needed for the changes to be effective.
Enter the number of seconds to wait before abruptly closing connections.

Waiting for listeners to exit...
Receiving suspended for euq_listener, cpq_listener.
Waiting for outgoing deliveries to finish...
Mail delivery suspended.
Receiving resumed for euq_listener, cpq_listener.
Mail delivery resumed.

The internal service will be up in a moment.



1 Accepted Solution

Accepted Solutions

Dustin Anderson

response from TAC to check your system. Trying to verify if the alert will clear itself or a bug.


From your problem description, I understood:

You applied the command updatepvocert and you still getting the alert.



Please let me know if anything stated above is incorrect.


Action Plan to take for the next step on this case:

                Are you getting some issues to send or release emails from the PVO???? Or getting port 7025 issues on your ESAs or SMA.


                If all is working fine, you can ignore the alert. This is an advice for the customer triggering and issue with expired certificate since last Sunday.

                If you still getting issues on the PVO, please review the next information.



This issue has been resolved for now after pushing the update package.


Since you are using on-prem or virtual appliance, you have to run "updatepvocert" command on SMA.

The command on SMA is to restore the Email flow from ESA>SMA.


Connectivity from the SMA to the ESA has been successfully addressed through a cloud update received at the ESA.



Plan of Action:

After updating the PVO certificate, please run the below command on ESA CLI:

  • To check the High Active Recipients count for “”
    (Machine esa) (SERVICE)> tophosts


Sort results by:


  1. Active Recipients
  2. Connections Out
  3. Delivered Recipients
  4. Hard Bounced Recipients
  5. Soft Bounced Events



Status as of:                   Tue Aug 09 14:30:56 2022 +08

Hosts marked with '*' were down as of the last delivery attempt.


                                              Active  Conn.     Deliv.       Soft       Hard

#   Recipient Host               Recip.    Out     Recip.    Bounced    Bounced


  • If you find High Active Recipients for “”, please run “delivernow host” command to force deliver the mails.


  • To verify the Status Up/Down of PVO

    (Machine esa) (SERVICE)> hoststatus


Recipient host:



Host mail status for: ''

Status as of:         Tue Aug 09 14:27:12 2022 +08

Host up/down:         down




    Soft Bounced Events                        0


    Completed Recipients                 XXXX

      Hard Bounced Recipients                  0

        DNS Hard Bounces                       0

        5XX Hard Bounces                       0

        Filter Hard Bounces                    0

        Expired Hard Bounces                   0

        Other Hard Bounces                     0

      Delivered Recipients               XXXX

      Deleted Recipients                       0


After following the above, you can verify from the ESA GUI for the mails. Give around 10 minutes and review that is draining.

View solution in original post

9 Replies 9


I have this same message and followed the same steps, even went so far as to reboot the SMA, although I don't think that would have helped. I haven't found a way of supressing this message either or established why it has suddenly started to appear.

SMA Version: 14.2.0-203