How to replace STARTTLS cert on Exchange 2007 Hub Transport Server
Posted on 2011-05-09
As many others have noted here, the STARTTLS cert on our Exchange 2007 Hub Transport Server will expire in ~ 30 days. I've read through many of the posts about how to replace/renew this cert, which have generated some questions on my end...
I see two certs installed on our Hub TS. The first, a self-signed cert issued by the Hub TS itself is defunct. I'm certain this was issued when Exchange 2007 was first installed in our environment and never properly removed. The second is the "active" cert, which was generated by a now defunct CA server in our environment. That being said, I want to replace the outgoing cert with a new, valid cert, prior to expiration to avoid Outlook unhappiness!
The active cert appears to be tied to SMTP only as noted by the value "S" under Services when running Get-ExchangeCertificate from PowerShell.
1.) I'd like to use our new, internal CA to generate a new, replacement cert. Any foreseeable issues with this?
1A.) Can anyone recommend a link that documents this process?
2.) Given that SMTP is the only service I can see that is tied to the existing/outgoing cert, I'm guessing it's perfectly fine to use our internal CA, or is it more advisable to purchase a 3rd party cert?
3.) Any other points I'm missing?
Any info you can provide is most appreciated!