Link to home
Start Free TrialLog in
Avatar of Chris Swinney
Chris SwinneyFlag for United States of America

asked on

Certificate Questions - Exchange 2016

If we have valid SSL cerfiticate for server/client authentication, is there any reason to have a TLS certificate?
Asking because I'm receiving the following event frequently in event viewer

"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of exchangecas.cfwebmasters.com. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of exchangecas.cfwebmasters.com should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task."

Also should expired certificates be removed?
Exchange-certs.PNG
Avatar of McKnife
McKnife
Flag of Germany image

Above your highlighted cert is another cert and that other is expired - I guess that is what is in use and what the message is talking about.
ASKER CERTIFIED SOLUTION
Avatar of Satish Auti
Satish Auti
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Chris Swinney

ASKER

The certificate that is expired has the following services: imap, pop, SMTP
The certificate with the same name but valid has the services: imap, pop, IIS

Glad i didn't delete that certificate earlier..

Any help with renewing that certificate? I have the thumbprint just never done this before.
Your old certificate is no more in use now because it is already expired. Assign SMTP service to new certificate.

Enable-ExchangeCertificate -thumbprint newcerticatesthumbprint -services SMTP

It will give warning message type Y and hit enter.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Good deal! I did that and now see the smtp service on the valid certificate!

Good to remove the old one you think?
Keep it for day or two and verify that event id 12016 will not appear again..
Restart Microsoft Exchange Transport service or Reboot your server and test that your certificate is working by connecting with IE, ActiveSync, or Outlook
As I see this valid certificate will expire in 20 days too.
Be prepare to renew it or create new request very soon
@Tom
I think I'll go ahead and renew it now.
So far everything's good, that or the phones are down haha
Keep certificate ready and install it as well, and assign the services on last day....
Thanks Satish!