Exchange 2007 Renew Certificates

      I have a question about renewing certificates on Exchange 2007. I am getting warnings in the application event logs. It is Event ID 12018. It states the STARTTLS certificate will expire soon and to run the New-ExchangeCertificate cmdlet. I did this and copied the thumbprint to IIS and thought I was all set. However, going over the before and after output for the certificates I notice my old certificate has the Issuer being Go Daddy Secure Certificate Authority. Do I need to contact them and get a new certificate to replace the one I just generated? Any help with this would be great.
      I have attached a file that contains screen prints of the before and after.

Thank you,
Who is Participating?
Will SzymkowskiSenior Solution ArchitectCommented:
If your thrid party SSL cert is expired then you are going to have to generate a new CSR from one of your Exchange CAS servers. You will then get a cer/crt file from GoDaddy. You would then import this certificate into the originating server where you requested the CSR from.

Make sure that when you complete the certificate import that you allow the key to be exportable.

When you have done that Open the EMS
Run the following command
Get-ExchangeCertificate | ft

You will see your Certificate in the list

Then run

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxx -services "pop,imap,smtp,iis"
Click Y to confirm

Test the certificate using check that that cert is updated. If it is you can remove the old one

Go back into the EMS
Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxx

Repeat the steps above for all other Exchange CAS servers in your environment. Make sure that when you export the certificate from the original CAS server make sure that you export the private key as well.

If the services are wrong, then use set-exchangecertificate -thumbprint XXXXX -services iis, imap, pop
This needs to be Enable not Set.

daskas27Author Commented:
Also, Since I did this the System Event log is filling up with Schannel errors. Event ID 36887
Simon Butler (Sembee)ConsultantCommented:
With Exchange you now need to have two certificates.
A trusted commercial certificate from GoDaddy (or another trusted provider) and a self signed certificate.

The self signed certificate is used by Exchange internally for email transport. To replace that one, in EMS, run new-exchangecertificate - no other options or switches required. When you are prompted to replace the default SMTP certificate, say yes.

Is your GoDaddy certificate up for renewal? If not then you can leave that one alone, just ensure that it is enabled for the correct services.

You can see what is happening with


If the services are wrong, then use set-exchangecertificate -thumbprint XXXXX -services iis, imap, pop

to change it.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.