Exchange 2013 certificates expired

Question

Exchange 2013 certificates expired

Bob Pants 261

I've got an old Exchange 2013 box which is running hybrid for our on-prem AD. Several of it's built-in certs are expired.

The one highlighted is from our local CA, I have another test box and this is just called "Microsoft Exchange" and it's a self-signed cert. I'm not sure why this one is from our CA, why would it be? can I convert it back to self-signed?

The other ones, there are multiple copies of, the Exchange Delegation one, the new cert has no roles.

the MS Exchange Server Auth one, I tried to delete the duplicate and it gives error about RPC in use by Transport service

Should I just run the HCW again? User's image

Any advice on how to repair these certs appreciated. I can't even upgrade the box as it is now as the upgrade will fail while the certs are all borked.

1 answer

Your answer

Answer 1

Hi @ Bob Pants

You mentioned you have an old Exchange 2013 server, did you have any other on-premises Exchange server, such as Exchange 2019? Or do you want to upgrade Exchange 2013 to Exchange 2016 or 2019?

The other ones, there are multiple copies of, the Exchange Delegation one, the new cert has no roles.

I am not sure what is you meaning of it. Could you please describe more details to us?

Based on my research, the "Microsoft Exchange" certificate itself is an self-signed certificate. So you don’t need to convert it to back. When you install Exchange 2016 or Exchange 2019 on a server, two self-signed certificates are created and installed by Exchange. In this official document, it describes two self-signed certificates:

Digital certificates and encryption in Exchange Server | Microsoft Learn

the MS Exchange Server Auth one, I tried to delete the duplicate and it gives error about RPC in use by Transport service

This is also the self-signed certificate and still have the service running and we don't recommend you delete it. If this certificate has been expired, we suggest you renew it.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Bob Pants 261 Reputation points

2024-04-04T03:33:07.7166667+00:00

I am not trying to upgrade this server right now, that's not my immediate problemAs I showed in the image, there are multiple copies of some certificates.

There are three copies of "Microsoft Exchange Server Auth Certificate" all say they are valid. How can I make it so there is only one of them as there should be?

There are two copies of "Exchange Delegation Federation" the new one that is "valid" has no services assigned to it. This got added when I clicked the 'renew' link.

The expied one has services "SMTP, Federation" assigned. When I click on the pencil edit icon on the new cert, "Federation" does not appear as an available option.

How can I correct this so the expired one can be deleted?

The "Microsoft Exchange" certificate in the example I showed is not a self-signed certificate, it's from our local CA. The question was, WHY is it like this and not a self-signed cert and can I revert this?

Share via

Exchange 2013 certificates expired

1 answer

Your answer