There is no valid SMTP Transport Layer Security (TLS) certificate


We are running Exchange 2007 SP1 on Windows 2008 SP2 servers. Our HQ is SiteA, and contains Mailbox, Hub Transport and CAS servers.

We have multiple AD sites, each with their own Hub Transports, and the HQ Hubs also have legacy routing group connectors to 2003 Bridgehead servers.

I have noticed the following error on some of the Hubs:

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

However, we aren't having any mail flow issues from what I can see.

Do we need to do anything and, if so, what? :-)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Satya PathakLead Technical ConsultantCommented:
This is good article please go through.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
SatyaPathak hit it on the head what your issue add on this for specific shell command to run this is a good article:
Joe_BuddenAuthor Commented:
Hi both


I am confused though about the need for the certificate in the first place? How was the certificate first installed, I don't recall installing it?

And how long does the certificate last for? Is renewing the certificate something we will have to keep on doing forever periodically?

Thanks for any help!
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
When installing Exchange a selfsigned cert is created during the install process.    The cert is good for 1 year.     Yes you will have to renew it periodically...but you can set them with a 5 year expire date etc.
Joe_BuddenAuthor Commented:
Got it (I think) :-)

So I can either renew the self-cert as per article here:

Or I can start using "proper" certificates (e.g. 3rd Party CA)?

Thanks for the help!

Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Correct and if you are going for a 3rd Party CA you will want to use the cmdlet like this:
New-ExchangeCertificate -GenerateRequest -Path c:\smtp_domain_com.csr -SubjectName "OU=Domain Control Validated,," -DomainName,, -PrivateKeyExportable $True
Joe_BuddenAuthor Commented:
Great - thanks!

One final question :-)

How do I find out when the self signed cert is actually going to expire and what will happen after this point? Or has it already expired? In which case, does this mean that this Hub Transport is not actually being used for mail delivery?
Joe_BuddenAuthor Commented:
Anyone know the answer to my last question?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.