How to replace STARTTLS cert on Exchange 2007 Hub Transport Server

Posted on 2011-05-09
Last Modified: 2012-06-27
Hi all,

As many others have noted here, the STARTTLS cert on our Exchange 2007 Hub Transport Server will expire in ~ 30 days.  I've read through many of the posts about how to replace/renew this cert, which have generated some questions on my end...

I see two certs installed on our Hub TS.  The first, a self-signed cert issued by the Hub TS itself is defunct.  I'm certain this was issued when Exchange 2007 was first installed in our environment and never properly removed.  The second is the "active" cert, which was generated by a now defunct CA server in our environment. That being said, I want to replace the outgoing cert with a new, valid cert, prior to expiration to avoid Outlook unhappiness!

The active cert appears to be tied to SMTP only as noted by the value "S" under Services when running Get-ExchangeCertificate from PowerShell.

1.) I'd like to use our new, internal CA to generate a new, replacement cert.  Any foreseeable issues with this?

     1A.) Can anyone recommend a link that documents this process?

2.) Given that SMTP is the only service I can see that is tied to the existing/outgoing cert, I'm guessing it's perfectly fine to use our internal CA, or is it more advisable to purchase a 3rd party cert?

3.) Any other points I'm missing?

Any info you can provide is most appreciated!
Question by:TurbineIT
    LVL 23

    Accepted Solution

    Internal CA or self-signed is fine.. you really only need 3rd party for external like OWA, Outlook anywhere, etc.

    Personally, I would just keep the self-signed

    Do a get-exchangecertificate | fl command. Copy the thumbprint for on the certificate for TLS. Then run get-exchangecertificate –t ABC123 | new-exchangecertificate (where ABC123 is the thumbprint).

    Restart the services and you’re set.

    Author Comment

    Sorry for the late reply -- thank you!

    I just implemented this during today's maintenance window with, what seems to be success.  I was able to renew the self-signed cert, but see an unexpected value.  The RootCAType has now changed to "None."  I restarted all Exchange services and then the entire server for good measure.  After which, Outlook seems to be connecting fine and the expiration warning isn't logged any longer.  I've also tested Outlook autoconfigure which seems to report back OK.

    Is this cause for alarm?

    PublicKeySize     : 2048
    RootCAType        : None
    SerialNumber      : 305070F9CC09D09F4DCB2499792039CF
    Services             : SMTP
    Status                 : Valid
    LVL 23

    Expert Comment

    by:Justin Durrant
    You should be fine.. you can either remove that expired cert or simply leave it

    Author Comment

    Done and done. Thanks again!

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now