• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 656
  • Last Modified:

How to replace STARTTLS cert on Exchange 2007 Hub Transport Server

Hi all,

As many others have noted here, the STARTTLS cert on our Exchange 2007 Hub Transport Server will expire in ~ 30 days.  I've read through many of the posts about how to replace/renew this cert, which have generated some questions on my end...

I see two certs installed on our Hub TS.  The first, a self-signed cert issued by the Hub TS itself is defunct.  I'm certain this was issued when Exchange 2007 was first installed in our environment and never properly removed.  The second is the "active" cert, which was generated by a now defunct CA server in our environment. That being said, I want to replace the outgoing cert with a new, valid cert, prior to expiration to avoid Outlook unhappiness!

The active cert appears to be tied to SMTP only as noted by the value "S" under Services when running Get-ExchangeCertificate from PowerShell.

1.) I'd like to use our new, internal CA to generate a new, replacement cert.  Any foreseeable issues with this?

     1A.) Can anyone recommend a link that documents this process?

2.) Given that SMTP is the only service I can see that is tied to the existing/outgoing cert, I'm guessing it's perfectly fine to use our internal CA, or is it more advisable to purchase a 3rd party cert?

3.) Any other points I'm missing?

Any info you can provide is most appreciated!
  • 2
  • 2
1 Solution
Justin DurrantCommented:
Internal CA or self-signed is fine.. you really only need 3rd party for external like OWA, Outlook anywhere, etc.

Personally, I would just keep the self-signed

Do a get-exchangecertificate | fl command. Copy the thumbprint for on the certificate for TLS. Then run get-exchangecertificate –t ABC123 | new-exchangecertificate (where ABC123 is the thumbprint).

Restart the services and you’re set.
TurbineITAuthor Commented:
Sorry for the late reply -- thank you!

I just implemented this during today's maintenance window with, what seems to be success.  I was able to renew the self-signed cert, but see an unexpected value.  The RootCAType has now changed to "None."  I restarted all Exchange services and then the entire server for good measure.  After which, Outlook seems to be connecting fine and the expiration warning isn't logged any longer.  I've also tested Outlook autoconfigure which seems to report back OK.

Is this cause for alarm?

PublicKeySize     : 2048
RootCAType        : None
SerialNumber      : 305070F9CC09D09F4DCB2499792039CF
Services             : SMTP
Status                 : Valid
Justin DurrantCommented:
You should be fine.. you can either remove that expired cert or simply leave it
TurbineITAuthor Commented:
Done and done. Thanks again!

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now