locked
STARTTLS certificate clarification RRS feed

  • Question

  • Hello,

    The following error recently started appearing on the Exchange server. This is a new Exchange server 2016 set up in November 2019.  This appears to be a self-signed certificated generated by our certificate authority (domain controller) that was added automatically when I set up the exchange server.  Assigned to services are for SMTP.  However, I already have a paid SSL from an external CA “GoDaddy” that also has Assigned to services are for SMTP, Imap POP and IIS. 

    Should I be able to just delete this certificate without affecting SMTP services since they are already in the paid SSL?

    Thanks,

    Roger

    Log Name:      Application

    Source:        MSExchangeFrontEndTransport

    Date:          9/22/2020 1:17:13 PM

    Event ID:      12018

    Task Category: TransportService

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      Server.Domain.com

    Description:

    The STARTTLS certificate will expire soon: subject: Server.Domain.com, thumbprint: 3EF08F7741771D45485B0A97B9D7DEBDEB58C629, expires: 11/20/2020 12:12:09 AM. Run the New-ExchangeCertificate cmdlet to create a new certificate.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="MSExchangeFrontEndTransport" />

        <EventID Qualifiers="49156">12018</EventID>

        <Level>2</Level>

        <Task>12</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2020-09-22T17:17:13.455934100Z" />

        <EventRecordID>3562430</EventRecordID>

        <Channel>Application</Channel>

        <Computer>Server.Domain.com</Computer>

        <Security />

      </System>

      <EventData>

        <Data>Server.Domain.com</Data>

        <Data>3EF08F7741771D45485B0A97B9D7DEBDEB58C629</Data>

        <Data>11/20/2020 12:12:09 AM</Data>

      </EventData>

    </Event>


    r

    Tuesday, September 22, 2020 5:29 PM

Answers

  • Hi,

    Yes. You can go ahead to remove the old self-signed certificate as long as the new commercial certificate has been assigned with the SMTP service. 

    Please run the command below to double check it:

    Get-ExchangeCertificate | FL ThumbPrint, Services, IsSelfSigned

    Once confirmed, the old self-signed certificate can be removed using:

    Remove-ExchangeCertificate -thumbprint <self-signed cert thumpprint>

    By the way, as this forum mainly focuses on developing issues related to Exchange and is not under moderation. And the previous TechNet forum for general issues about Exchange has been moved to the Microsoft Q&A Platform. If you need further assistance regarding this question or has new questions about Exchange, it's recommended to register the Microsoft Q&A Platform and create new threads there.  

    Regards, 

    Yuki Sun


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Friday, September 25, 2020 7:22 AM