Exchange 2007 Renew Certificates

      I have a question about renewing certificates on Exchange 2007. I am getting warnings in the application event logs. It is Event ID 12018. It states the STARTTLS certificate will expire soon and to run the New-ExchangeCertificate cmdlet. I did this and copied the thumbprint to IIS and thought I was all set. However, going over the before and after output for the certificates I notice my old certificate has the Issuer being Go Daddy Secure Certificate Authority. Do I need to contact them and get a new certificate to replace the one I just generated? Any help with this would be great.
      I have attached a file that contains screen prints of the before and after.

Thank you,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

daskas27Author Commented:
Also, Since I did this the System Event log is filling up with Schannel errors. Event ID 36887
Simon Butler (Sembee)ConsultantCommented:
With Exchange you now need to have two certificates.
A trusted commercial certificate from GoDaddy (or another trusted provider) and a self signed certificate.

The self signed certificate is used by Exchange internally for email transport. To replace that one, in EMS, run new-exchangecertificate - no other options or switches required. When you are prompted to replace the default SMTP certificate, say yes.

Is your GoDaddy certificate up for renewal? If not then you can leave that one alone, just ensure that it is enabled for the correct services.

You can see what is happening with


If the services are wrong, then use set-exchangecertificate -thumbprint XXXXX -services iis, imap, pop

to change it.

Will SzymkowskiSenior Solution ArchitectCommented:
If your thrid party SSL cert is expired then you are going to have to generate a new CSR from one of your Exchange CAS servers. You will then get a cer/crt file from GoDaddy. You would then import this certificate into the originating server where you requested the CSR from.

Make sure that when you complete the certificate import that you allow the key to be exportable.

When you have done that Open the EMS
Run the following command
Get-ExchangeCertificate | ft

You will see your Certificate in the list

Then run

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxx -services "pop,imap,smtp,iis"
Click Y to confirm

Test the certificate using check that that cert is updated. If it is you can remove the old one

Go back into the EMS
Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxx

Repeat the steps above for all other Exchange CAS servers in your environment. Make sure that when you export the certificate from the original CAS server make sure that you export the private key as well.

If the services are wrong, then use set-exchangecertificate -thumbprint XXXXX -services iis, imap, pop
This needs to be Enable not Set.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.