By default MS Exchange 2007 uses self signed certificates for various services (SMTP, IMAP, IIS, POP, etc). Normally these certificates are valid for one year.
Once certificate starts approaching its expiry date following events will be logged in Application Logs on Exchange server:
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12018
Date:
Time:
User: N/A
Computer: <server name>
Description:
The STARTTLS certificate will expire soon: subject: <server.domain.local>, hours remaining: 177700433E5D67615E8564373CAF08AB5842DEA0. Run the New-ExchangeCertificate cmdlet to create a new certificate.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12017
Date: 13/04/2008
Time: 09:01:00
User: N/A
Computer: <server name>
Description:
An internal transport certificate will expire soon. Thumbprint:135645393F5D74715F825A865CAF08BB8332DC10, hours remaining: 156
Once certificate expires following event will be logged:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12016
Date:
Time:
User: N/A
Computer: <server name>
Description:
The STARTTLS certificate will expire soon: subject: <server.domain.local>, hours remaining: 124543103F37D661E48559A73FFBA84A5832DBA0. Run the New-ExchangeCertificate cmdlet to create a new certificate.
To renew the certificate perform following steps:
1. Open Exchange Management Shell
2. Check status of existing certificate(s). Make note of the "Thumbprint" value:
Get-ExchangeCertificate | List
3. Get a new self-signed certificate. Use "Thumbprint" from the old certificate:
Get-ExchangeCertificate –thumbprint "C9A4BB6094A167BD324618D8492C4C5281FDD34A" | New-ExchangeCertificate
4. Examine properties of the new certificate. Make sure all required services are enabled.
Get-ExchangeCertificate | List
5. If some of the required services are not enabled you can enable them with following cmdlet:
Enable-ExchangeCertificate -thumbprint "A0BB986024A347BAC24438D8432C1B123AFDF11B" -services IIS, POP, SMTP, IMAP
6. Ensure that all required services are working with new certificate and then remove the old certificate:
Remove-ExchangeCertificate -thumbprint "C9A4BB6094A167BD324618D8492C4C5281FDD34A"
