Often times we run into instances where a server needs to have an internal certificate renewed. These are usually certificates that are generated and self-signed by the server. The certificate validity period is usually one year, but this has been increased with versions of Exchange later than 2007. Unlike renewing an Exchange email certificate issued by a third party such as GoDaddy, you can easily generate a new self-signed certificate with a few easy commands using the Exchange PowerShell.
First, you will need to find the thumbprint of the certificate that is expiring or has already expired. You can find this by running the following command in the EMC:
Get-ExchangeCertificate | fl
This will list all of the certificates that are installed on the server and will list the thumbprint. Once you find this information, you can run the following command:
Get-ExchangeCertificate -thumbprint “Thumbprint” | New-ExchangeCertificate
Eg. Get-ExchangeCertificate -thumbprint “45FE914BCA0335063D340D8AE0” | New-ExchangeCertificate
After running this command, you will be asked to confirm that you want to overwrite the old certificate with the newly generated one. Once you accept this you will see a new certificate has been created and you may need to re-assign any necessary services. After you verify the new certificate is correct and has the necessary services assigned, if any, you will want to remove the old certificate so that the server no longer generates the corresponding expired event logs. You can do this by running the following command using the thumbprint used previously:
Remove-ExchangeCertificate -thumbprint “45FE914BCA0335063D340D8AE0”
You should no longer see the expired or expiring certificate listed and should be good to go.