Friday 2 August 2013

Exchange Transport TLS Certificate Expiry Warnings and/or Errors

For those that have been supporting SBS Standard for a number of years now will be finding that Exchange Self-Issued certificates are expiring.

One self-issued certificate, and note that it seems to be independent of the SBS Third Party Trusted Certificates Wizard, is used for Transport Layer Security (TLS).


    Event Details:   

    There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of SBS.DOMAIN.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of SBS.DOMAIN.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

The domain listed in the error is the key to figuring out which Thumbprint we need.

  • Open Exchange PowerShell (Run As Admin)
  • Get-ExchangeCertificate | Select CertificateDomains,Thumbprint,Status,Services | fl

The resulting list will post all certificates installed in the Personal Store on that server. Note the certificate with an INVALID status that points to SERVER.DOMAIN.LOCAL.

Copy the GUID and paste it into the following command:

  • Get-ExchangeCertificate –Thumbprint GUIDHere | New-ExchangeCertificate

At the prompt to replace the existing certificate answer Yes.

The expired certificate should now be replaced and Exchange Transport will continue on.

Philip Elder
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at

Windows Live Writer

No comments: