I an not an expert when it comes to exchange certificates and have read some articles in regard to certificate renewal, but I am still confused as to the need to renew for my situation. We have an SBS2011 w/ Exchange 2010 for local and remote clients. Exchange is hosting the Mailbox role and a Hub Transport Role.
I'm getting App log events ID 12018, "The StartTLS certificate will expire soon ..... run the New Exchange-Certificate Cmdlet etc.
The EMC server configuration shows 5 exchange certificates. One of them is a 3rd party cert, expires 4/23/15 and is assigned IMAP,POP,IIS,SMTP. Two others are self-signed and show assigned services=None. I can't determine why they are there, presume they were created when the server was built and neither are the certs that is creating the StartTLS errors, so can I safely remove them?
The other two certs are showing Self-signed=False but the issuer shows my Mydomain-Mymachinename-CA on both. (If this machine has a CA, then why produce errors about renewal of it's own certificates) One of these two show IMAP,POP and the other (this one needs renewal) IMAP,POP,SMTP. Again, I don't know why these are there, presume these were created when the server was built or whatever, but this one has the same issue date as when the 3rd party cert was purchased.
How can I tell which ones are being used? If I try to remove the one that is about to expire, it produces an error saying this will cause the transport to stop, and it wants the cert to be replaced first. This is frustrating.
So, does this 3rd party cert override all other internal and external connections including StartTLS? And if so, would it be safe to just remove the others? How?
BTW, even though I can't see TSL as a service assigned by a cert, is StartTLS part of the SMTP connection service?