There is no valid SMTP Transport Layer Security (TLS) certificate


We are running Exchange 2007 SP1 on Windows 2008 SP2 servers. Our HQ is SiteA, and contains Mailbox, Hub Transport and CAS servers.

We have multiple AD sites, each with their own Hub Transports, and the HQ Hubs also have legacy routing group connectors to 2003 Bridgehead servers.

I have noticed the following error on some of the Hubs:

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

However, we aren't having any mail flow issues from what I can see.

Do we need to do anything and, if so, what? :-)
Who is Participating?
Satya PathakLead Technical ConsultantCommented:
This is good article please go through.
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
SatyaPathak hit it on the head what your issue add on this for specific shell command to run this is a good article:
Joe_BuddenAuthor Commented:
Hi both


I am confused though about the need for the certificate in the first place? How was the certificate first installed, I don't recall installing it?

And how long does the certificate last for? Is renewing the certificate something we will have to keep on doing forever periodically?

Thanks for any help!
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
When installing Exchange a selfsigned cert is created during the install process.    The cert is good for 1 year.     Yes you will have to renew it periodically...but you can set them with a 5 year expire date etc.
Joe_BuddenAuthor Commented:
Got it (I think) :-)

So I can either renew the self-cert as per article here:

Or I can start using "proper" certificates (e.g. 3rd Party CA)?

Thanks for the help!

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Correct and if you are going for a 3rd Party CA you will want to use the cmdlet like this:
New-ExchangeCertificate -GenerateRequest -Path c:\smtp_domain_com.csr -SubjectName "OU=Domain Control Validated,," -DomainName,, -PrivateKeyExportable $True
Joe_BuddenAuthor Commented:
Great - thanks!

One final question :-)

How do I find out when the self signed cert is actually going to expire and what will happen after this point? Or has it already expired? In which case, does this mean that this Hub Transport is not actually being used for mail delivery?
Joe_BuddenAuthor Commented:
Anyone know the answer to my last question?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.