The STARTTLS certificate will expire soon


  • Hello,
    Just got the following error on my 3 node Exchange 2013 cluster:
    "The STARTTLS certificate will expire soon: subject: apollo.domain.local, thumbprint: B9BDF6DD6F89325DC2A762C711FE5BDDFD8BAE89, hours remaining: 1749. Run the New-ExchangeCertificate cmdlet to create a new certificate"

    Getting the Exchange Certificates (that are not Self-signed) shows:

    [PS] C:\Windows\system32>Get-ExchangeCertificate | Where {$_.IsSelfSigned -eq $false} | FL

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
    CertificateDomains : {, mailadmin, hermes.domain.local, apollo.domain.local, pontus.domain.local,
                         hermes, apollo, pontus}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=domain-SERVER-CA
    NotAfter           : 10/03/2018 13:11:02
    NotBefore          : 10/03/2016 13:01:02
    PublicKeySize      : 2048
    RootCAType         : Enterprise
    SerialNumber       : 39000000503598F255DB9C44F7000100000050
    Services           : IIS
    Status             : Valid
    Subject            :
    Thumbprint         : B9BDF6DD6F89325DC2A762C711FE5BDDFD8BAE89

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
    CertificateDomains : {,,}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=,
                         O=", Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter           : 20/01/2019 19:02:39
    NotBefore          : 20/01/2016 19:02:39
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 3E2D2D08AA52A359
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            :, OU=Domain Control Validated
    Thumbprint         : 60390A88B5692790BBA90D9BF1D448A709CFB999

    Mail Servers: hermes, apollo, pontus
    Certificate Auth: domain-SERVER-CA

    Now I have a couple of months to sort this, but would like to get ahead of the game.  I have read that I need to run the command

    New-ExchangeCertificate -Thumbprint <Thumbprint>


    Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Service IIS

    I have a couple of questions:

    1. Is this the correct procedure?
    2. As this is a cluster, do I need to run it on all three servers?
    3. Will this overwrite the Third Party certificate?  I've read that you get asked!


    Monday, January 8, 2018 10:25 AM

All replies

  • Yes,You have to request for a new certificate before it getting expored and enable the certificate once it is generated.Follow below article.

    Jayakumar K

    Monday, January 8, 2018 12:35 PM
  • Hi,
    I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns, please don't hesitate to let me know. And if the replies has helped you, please help to mark as answer since it could be helpful for others.
    Thanks for your time.


    Jason Chao

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, January 19, 2018 2:01 AM