Do I need to renew an Exchange Certificate about to expire?

royatnts
royatnts used Ask the Experts™
on
Hello,
I an not an expert when it comes to exchange certificates and have read some articles in regard to certificate renewal, but I am still confused as to the need to renew for my situation. We have an SBS2011 w/ Exchange 2010 for local and remote clients. Exchange is hosting the Mailbox role and a Hub Transport Role.

I'm getting App log events ID 12018,  "The StartTLS certificate will expire soon .....  run the New Exchange-Certificate Cmdlet etc.

The EMC server configuration shows 5 exchange certificates. One of them is a 3rd party cert, expires 4/23/15 and is assigned IMAP,POP,IIS,SMTP.  Two others are self-signed and show assigned services=None. I can't determine why they are there, presume they were created when the server was built and neither are the certs that is creating the StartTLS errors, so can I safely remove them?

The other two certs are showing Self-signed=False but the issuer shows my Mydomain-Mymachinename-CA on both. (If this machine has a CA, then why produce errors about renewal of it's own certificates) One of these two show IMAP,POP and the other (this one needs renewal) IMAP,POP,SMTP. Again, I don't know why these are there, presume these were created when the server was built or whatever, but this one has the same issue date as when the 3rd party cert was purchased.

How can I tell which ones are being used? If I try to remove the one that is about to expire, it produces an error saying this will cause the transport to stop, and it wants the cert to be replaced first. This is frustrating.

So, does this 3rd party cert override all other internal and external connections including StartTLS? And if so, would it be safe to just remove the others? How?

BTW, even though I can't see TSL as a service assigned by a cert, is StartTLS part of the SMTP connection service?

Thanks...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
run fix my network in the SBS 2011 Console.

Author

Commented:
The last time this was done, it changed the machine IP address for the network adapter and basically all server connections were broke. It took some time to reverse it back and get everything to work.

Can you explain why this needs to be done verses answering my questions?
SBS uses wizards to do almost everything.  When you run fix my network you should get a list of items that it's found that need to be fixed.  If there's one in there for the certificate expiring just select that one. (uncheck anything else).

you answered some of your questions yourself.  Exchange created these certs on initial installation.
Why one cert has the same date as your 3rd party cert I don't know.
you must be using TLS auth in your exchange
Have you looked at the details of the StartTLS Cert?  who is the issuer?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Gareth GudgerSolution Architect
Most Valuable Expert 2014
Top Expert 2014

Commented:
Two others are self-signed and show assigned services=None. I can't determine why they are there, presume they were created when the server was built and neither are the certs that is creating the StartTLS errors, so can I safely remove them?

Yes. If they aren't assigned to anything they aren't doing anything.

BTW, even though I can't see TSL as a service assigned by a cert, is StartTLS part of the SMTP connection service?

TLS is part of the SMTP assignment. It allows you to send encrypted mail to another company. Can you open these certs and see what the friendly name is and also who issued it? I am wondering if somehow an intermediary cert for your 3rd party cert is showing up here. Or they might be shared certs from a partner you were previously doing TLS encrypted email communications with.

Assigning a cert to POP or IMAP is just if you want to encrypt those services. e.g. S/POP.
Most Valuable Expert 2014
Commented:
The easiest fix is to just run

new-exchangecertificate

No other switches. When you are prompted to replace the default SMTP certificate, select yes. That will generate a new internal self signed SSL certificate that Exchange will use just for TLS based traffic. It will have no effect on anything else.

Simon.

Author

Commented:
I believe that worked Thanks. The cmdlet said it was going to replace the cert (with thumbprint matching the one about to expire), but actually added a new self-signed one with IMAP,POP,SMTP with subject CN=machinename only. However, I was now able to delete the old cert about to expire. Doing this also eliminated the App Log EventID 12018 every 10 minutes.
Thanks again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial