locked
STARTTLS will expire soon multiple certs request help RRS feed

  • Question

  • We are getting the above message.  I have read to delete the old certs and run New-ExchangeCertificate.  My Issue lies in which do I need to delete.  We do have an SSL from Go Daddy that I know will need to be renewed next month.  That one I am familer with but not the STARTTLS ones.  If i do get-exchangecertificate here is what I get:

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    479767EB6F406C80A123B1231E1325300EA83396          IP..S         CN=mail.orchardhillchur...
    C9647E407B5393AE51DCF3DD1A6E48F859CFB907     ....S           CN=OHC-DC1
    ADCD2C180D7C6939D55AC1072016E96253F5DF8D    IP.WS       CN=mail.orchardhillchur...
    BB2C03D92F9F1C38E9B82A410831CF74BFB656A3      ....S           CN=OHC-DC1
    26EADC40708688CD8012E86DCD7F9CEC7813F777     ....S           CN=WMSvc-OHC-DC1

    If I do start - mmc- add - certificates this is what I have listed
    Issued to:                                Issued by                             Expires                       Intended Purposes
    mail.orchardhillchurch.com      Go Daddy Secure Cert         5/18/11                      Server Auth, Client Auth
    mail.orchardhillchurch.com      Mail.orchardhillchurch.com   4/27/11                      Server Auth
    OHC-DC1                             OHC-DC1                          4/23/11                      Server Auth
    OHC-DC1                             OHC-DC1                          4/17/11                      Server Auth
    WMSvc-OHC-DC1              WMSvc-OHC-DC1            4/15/11                      Server Auth

    I know what I will have to do with the Go Daddy SSL Cert next month.  Which ones pertain to the STARTTLS that I need to delete and renew though?  Thank you for helping out ahead of time.


    Edit: sorry forgot running Exchange 2007 on Server 2008 Standard.
    Monday, April 4, 2011 7:17 PM

Answers

  • STARTTLS is used by SMTP connectors, so it is one of the certificates marked for SMTP use.

    renew your certs first, then delete old certs.

     


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
    • Proposed as answer by Gavin-Zhang Tuesday, April 5, 2011 10:11 AM
    • Marked as answer by Gavin-Zhang Wednesday, April 6, 2011 9:14 AM
    Monday, April 4, 2011 10:57 PM

All replies

  • Doesnt that error list the thumbprint of the cert that is ready to expire?

    That get-exchangecertificate command piped to FL  (get-exchangecertificate | fl ) will list all the details.

     


    Monday, April 4, 2011 7:23 PM
  • STARTTLS is used by SMTP connectors, so it is one of the certificates marked for SMTP use.

    renew your certs first, then delete old certs.

     


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
    • Proposed as answer by Gavin-Zhang Tuesday, April 5, 2011 10:11 AM
    • Marked as answer by Gavin-Zhang Wednesday, April 6, 2011 9:14 AM
    Monday, April 4, 2011 10:57 PM