There is no valid SMTP TLS certificate – Exchange 2007 on SBS 2008

Reviewing logs on my [easyazon-link asin=”B001QBPME6″ locale=”us”]Windows Small Business Server 2008[/easyazon-link] server and noted this error message:

There is no valid SMTP Transport Layer Security (TLS) certificate for FQDN  SERVER.DOMAIN.local. The existing certificate for that FQDN has expired ..

Here is the screenshot of the error message EventID; 12016

[easyazon-link asin=”0735640610″ locale=”us”]Microsoft Exchange Server 2010[/easyazon-link] and [easyazon-link asin=”0672329204″ locale=”us”]Microsoft Exchange Server 2007[/easyazon-link] Setup creates a self-signed certificate for the server to protect communication with services like SMTP, IMAP, POP, IIS and UM. In Exchange 2007, the certificate is issued for a period of one year. In Exchange 2010, the certificate validity period is raised to five years. The self-signed certificate meets an important need – securing communication paths for Exchange services by default. However it’s not recommended to use them for any client communication on an ongoing basis. For most deployments, you will end up purchasing a certificate from a trusted 3rd-party CA.

How do we fix this ?

If you check closer the error message it is actually very smart as it already is providing you with the fix. You will need to lunch Exchange Management Shell on your [easyazon-link asin=”0735620709″ locale=”us”]SBS 2008[/easyazon-link] server and run these commands:

#this will list the certificate in question that expired and need to be renewed on your server, click Y and make note of the thumprint of OLD and NEW certificate

Note the the Thumbprint of certificates in the screenshot – very important and do not make mistakes:

  • New Certificate = 30EF90D32E654C6E4D52F1428DE346C600AB69A8
  • Old Certificate =05D8F7B250DC6310C44A5BED532EDCCDE1DA8A92

Once you have completed the command and your certificate is now up to date and renewed you will need to enable the NEW certificate for IIS on [easyazon-link asin=”0735625204″ locale=”us”]Windows® Small Business Server 2008[/easyazon-link] and remove the OLD certificate from the server.

Enable-ExchangeCertificate -Thumbprint 30EF90D32E654C6E4D52F1428DE346C600AB69A8 -Services IIS
# this will enable and assign the certificate on IIS for the services such as IMAP, SMTP ..

Now you have to REMOVE the OLD certificate from the server by running this command:

Remove-ExchangeCertificate -Thumbprint 05D8F7B250DC6310C44A5BED532EDCCDE1DA8A92
# you will need to press Y for confirmation and the certificate will be removed and you are done

Note: Once you enable a certificate for a particular Exchange Server service, there’s no way to disable it (for that service). So pay attention to those certificate Thumbprint so you do not mess up your Exchange server 🙂

[easyazon-image align=”none” asin=”0470624434″ locale=”us” height=”160″ src=”” width=”128″]

Leave a Reply