Exchange 2007 creates a self-signed certificate during installation that uses all the server and domain names that are known to Exchange at the time of installation for use with services like SMTP, IMAP, POP, IIS and UM. These certificates are valid for 12 months.
The self-signed certificate meets an important need – securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It’s not recommended to use these for any client communication on an ongoing basis.
When these certificates reaches the expiry date, some Warnings will be generated in Event log as follows:
The STARTTLS certificate will expire soon: subject:servername.domainname.com, hours remaining: B33EF13A248E1FC31414FF29BAC5A1041D54D27F. Run the New-ExchangeCertificate cmdlet to create a new certificate.
- A direct trust certificate will expire soon. Thumbprint:B33EF13A248E1FC31414FF29BAC5A1041D54D27F, hours remaining: 411
It may make sense to clone the existing certificates. Be aware that only the certificate metadata and not the key sets are cloned.To run the following cmdlets on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
To clone a new certificate from an existing certificate, you must first identify the current certificate for the domain by running the following command:
Get-ExchangeCertificate –DomainName mail1.contoso.com
Where mail1.contoso.com is the server name or the FQDN that you want to make a cloned certificate of.
The first certificate that is listed in the output is the default SMTP TLS certificate for the server.
To clone the certificate, run the following command:
Get-ExchangeCertificate –Thumbprint b4268cd7065c87cb942d60f7293feb7d533a4cfd | New-ExchangeCertificate
Where the value for Thumbprint is from the first certificate that was listed in the output for Get-ExchangeCertificate. This command extracts the names from the existing certificate that are identified by the thumbprint and uses them in the new self-signed certificate.
If the existing certificate is being used for SMTP, you will be asked for a confirmation to overwrite. Type ‘Y’ to continue. A new certificate will be generated. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – It will not be enabled for IIS.
To enable the certificate for IIS:
Enable-ExchangeCertificate -thumbprint “7WA56741539DBA19D1A43A6C8161ED2D0B3B9E6G” -services IIS
If there is Edge Transport Server in your organisation, it might take some time to synchronise and the mails will be held in the queue until then. Once all the services are working with the new certificate, the old certificate can be removed.
Remove-ExchangeCertificate -thumbprint “b4268cd7065c87cb942d60f7293feb7d533a4cfd”