Avatar of royatnts
royatnts
 asked on

Do I need to renew an Exchange Certificate about to expire?

Hello,
I an not an expert when it comes to exchange certificates and have read some articles in regard to certificate renewal, but I am still confused as to the need to renew for my situation. We have an SBS2011 w/ Exchange 2010 for local and remote clients. Exchange is hosting the Mailbox role and a Hub Transport Role.

I'm getting App log events ID 12018,  "The StartTLS certificate will expire soon .....  run the New Exchange-Certificate Cmdlet etc.

The EMC server configuration shows 5 exchange certificates. One of them is a 3rd party cert, expires 4/23/15 and is assigned IMAP,POP,IIS,SMTP.  Two others are self-signed and show assigned services=None. I can't determine why they are there, presume they were created when the server was built and neither are the certs that is creating the StartTLS errors, so can I safely remove them?

The other two certs are showing Self-signed=False but the issuer shows my Mydomain-Mymachinename-CA on both. (If this machine has a CA, then why produce errors about renewal of it's own certificates) One of these two show IMAP,POP and the other (this one needs renewal) IMAP,POP,SMTP. Again, I don't know why these are there, presume these were created when the server was built or whatever, but this one has the same issue date as when the 3rd party cert was purchased.

How can I tell which ones are being used? If I try to remove the one that is about to expire, it produces an error saying this will cause the transport to stop, and it wants the cert to be replaced first. This is frustrating.

So, does this 3rd party cert override all other internal and external connections including StartTLS? And if so, would it be safe to just remove the others? How?

BTW, even though I can't see TSL as a service assigned by a cert, is StartTLS part of the SMTP connection service?

Thanks...
Exchange

Avatar of undefined
Last Comment
royatnts

8/22/2022 - Mon
ktaczala

run fix my network in the SBS 2011 Console.
royatnts

ASKER
The last time this was done, it changed the machine IP address for the network adapter and basically all server connections were broke. It took some time to reverse it back and get everything to work.

Can you explain why this needs to be done verses answering my questions?
ktaczala

SBS uses wizards to do almost everything.  When you run fix my network you should get a list of items that it's found that need to be fixed.  If there's one in there for the certificate expiring just select that one. (uncheck anything else).

you answered some of your questions yourself.  Exchange created these certs on initial installation.
Why one cert has the same date as your 3rd party cert I don't know.
you must be using TLS auth in your exchange
Have you looked at the details of the StartTLS Cert?  who is the issuer?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Gareth Gudger

Two others are self-signed and show assigned services=None. I can't determine why they are there, presume they were created when the server was built and neither are the certs that is creating the StartTLS errors, so can I safely remove them?

Yes. If they aren't assigned to anything they aren't doing anything.

BTW, even though I can't see TSL as a service assigned by a cert, is StartTLS part of the SMTP connection service?

TLS is part of the SMTP assignment. It allows you to send encrypted mail to another company. Can you open these certs and see what the friendly name is and also who issued it? I am wondering if somehow an intermediary cert for your 3rd party cert is showing up here. Or they might be shared certs from a partner you were previously doing TLS encrypted email communications with.

Assigning a cert to POP or IMAP is just if you want to encrypt those services. e.g. S/POP.
ASKER CERTIFIED SOLUTION
Simon Butler (Sembee)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
royatnts

ASKER
I believe that worked Thanks. The cmdlet said it was going to replace the cert (with thumbprint matching the one about to expire), but actually added a new self-signed one with IMAP,POP,SMTP with subject CN=machinename only. However, I was now able to delete the old cert about to expire. Doing this also eliminated the App Log EventID 12018 every 10 minutes.
Thanks again.