Self-signed Certificate Request for TLS

Exchange 2007 creates a self-signed certificate during installation that uses all the server and domain names that are known to Exchange at the time of installation for use with services like SMTP, IMAP, POP, IIS and UM. These certificates are valid for 12 months.

The self-signed certificate meets an important need – securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It’s not recommended to use these for any client communication on an ongoing basis.

When these certificates reaches the expiry date, some Warnings will be generated in Event log as follows:

  1. The STARTTLS certificate will expire soon:, hours remaining: B33EF13A248E1FC31414FF29BAC5A1041D54D27F. Run the New-ExchangeCertificate cmdlet to create a new certificate.
  2. A direct trust certificate will expire soon. Thumbprint:B33EF13A248E1FC31414FF29BAC5A1041D54D27F, hours remaining: 411

It may make sense to clone the existing certificates. Be aware that only the certificate metadata and not the key sets are cloned.To run the following cmdlets on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

  • To clone a new certificate from an existing certificate, you must first identify the current certificate for the domain by running the following command:

Get-ExchangeCertificate –DomainName

Where is the server name or the FQDN that you want to make a cloned certificate of.

The first certificate that is listed in the output is the default SMTP TLS certificate for the server.

  • To clone the certificate, run the following command:

Get-ExchangeCertificate –Thumbprint b4268cd7065c87cb942d60f7293feb7d533a4cfd | New-ExchangeCertificate

Where the value for Thumbprint is from the first certificate that was listed in the output for Get-ExchangeCertificate. This command extracts the names from the existing certificate that are identified by the thumbprint and uses them in the new self-signed certificate.

  • If the existing certificate is being used for SMTP, you will be asked for a confirmation to overwrite. Type ‘Y’ to continue. A new certificate will be generated. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – It will not be enabled for IIS.

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint “7WA56741539DBA19D1A43A6C8161ED2D0B3B9E6G” -services IIS

If there is Edge Transport Server in your organisation, it might take some time to synchronise and the mails will be held in the queue until then. Once all the services are working with the new certificate, the old certificate can be removed.

Remove-ExchangeCertificate -thumbprint “b4268cd7065c87cb942d60f7293feb7d533a4cfd”


One thought on “Self-signed Certificate Request for TLS

  1. Hi, My self-signed certificate is expiring… is this different than my SAN SSL certificate?
    My self-signed cert is asking for servername.domain.local and my SSL cert is currently NOT SAN cert, but using
    I have now purchased a SAN cert to replace the current SSL cert so I have added:,,, servername.domain.local, servername.

    Will the new cert be enough and I won’t need the self-signed anymore?

    Thanks in advance,


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s