C:\ProgramData\Microsoft\Crypto\ is filling our disk space
Problem reported by WebControl GmbH - 2/9/2016 at 2:39 PM
Hello Guys,
we have a big Issue.
As mantioned in the subject of this thread is
filling realy our disk space!
Files within ...keys\ are named like
I assume this is caused from Smartermail since we set this up to work with SSL.
This is how we set it up for smartermail:
Smartermail (14.5.5871) WebInterface - settings - bindings - port
-- Certificate Path: C:\SmarterMail\Certificates\mycert.pfx
-- Password: 123456 :)
Are there other peoples around with same setup and issue?
Btw. SmarterMail WebInterface is realised via IIS on Windows Server 2008 R2.

7 Replies

Reply to Thread
Scarab Replied
There should only be one Private Key per certificate request or installed certificates in the \ProgramData\Microsoft\Crypto sub-directories.
However, if your certificate path in SmarterMail is pointed to a Personal Exchange Format pkcs12 .PFX instead of a base-64 x509 .CER that might be your problem.
You would want to follow the instructions at https://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx to import your .PFX file into Windows Certificate Manager and then export to a base-64 x509 .CER file that you would point your SmarterMail settings to.
WebControl GmbH Replied
Hello Scarab,
thank you very much for your reply!
I know the linked instruction to implement the SSL/TLS Certificate within SmarterMail (as you can see in comments (; ).
It didn't worked for us without the use of pfx-file.
There should only be one Private Key per certificate request or installed certificates in the \ProgramData\Microsoft\Crypto sub-directories.
That would be OK. But it seems that this is not the case :/
Finaly we have more than "17.502.000" Files in "C:\ProgramData\Microsoft\Crypto\Keys"! And we really dont have so many communication to our mailcluster. Some files are a few months old!
Could it be that SmarterMails doensnt handle this correct? A Bug?
Brian Ellwood Replied
PFX is a cert and the key from which the CSR was generated.
Importing the PFX will allow you to use the cert properly in IIS.
You should also place the according CER on the server somewhere - we use:
Then point your bindings to that CER file.
I don't believe you can point bindings to a PFX.
HTH =)
WebControl GmbH Replied
Hello Brian,
thank you for your input!
We do not have an issue with IIS. The Binding here is fine and works with an imported PFX file.
Merely SmarterMail was not able to work in this way (via Webinterface - see above).
My stomachache is the decribed "keys-Folder" which is growing and filling up my disk.
Is this some Bug from smartermail caused from the way how we configured TLS/SSL within smartermail?
Bruce Barnes Replied
The IIS binding and the SmarterMail bindings are two completely different things.
Just because IIS is working does not mean that SmarterMail will work.
You must ADD the certs - both the certificate issued to you for the domain, and ALL TWO or THREE supporting certificates (they are not sent by the certificate issuer, you must go to their site, download, and ADD them into the CERTIFICATE REPOSITORY in the server operating system).
You MUST also add the certificate you use for IIS to the CERTIFICATE REPOSITORY and then properly EXPORT the PFX certificate for SmarterMail, placing it somewhere in the SmarterMail PROGRAM directory.
Here are the instructions for generating the PFX cert:
and here are my version of the same instructions:
Don't forget to CHANGE THE PERMISSIONS on the CER file so that everyone can read it!
Once you've done that, you'll need to BIND the PFX certificate to EACH of the SmarterMail SSL and TLS reports, and click on the VERIFY BUTTON, to make certain you've properly exported the certificate, SmarterMail can see it, and the port binding is good.
Our exported PFX certificate is named: securemail.chicagonettech.com.cer,
and the path in which the certificate is located is: 
D:\Program Files (x86)\SmarterTools\SmarterMail\securemail.chicagonettech.com.cer
Here's our list of ports, and how they are bound:
Then you must also BIND the PORTS to the IP ADDRESS(ES) used by the FQDN of your SmarterMail server:
Then you must MAP the FQDN of your SmarterMail SERVER to the IP ADDRESS which is used to SEND all of your e-mail:
And you must have your OUTBOUND SMTP properly configured to either use the same IP ADDRESS as the IP ADDRESS you mapped to the FQDN of your SmarterMail server above:
If you have multiple hosted domains, then you can map them to separate IP addresses, but you must also make certain to create additional HOSTNAME and PORT to IP ADDRESS mappings for EACH DIFFERENT IP ADDRESS you use.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
WebControl GmbH Replied
Hello Bruce,
thank you for this usual and excellent tutorial on howto konfigure SmarterMail to work with SSL/TLS - we will give it a try.
But so long, does anybody know what is happening in the mentioned directory?
Brian Ellwood Replied
If you google it there are many technet articles about it.
It is system related not Smartermail related.

Reply to Thread