Hello, I use Exchange 2007 and I was checking my ExchangeCertificate on my Hubcas1. I found out 3 certificates. It seems like I have a certificate that is no longer in use but I do not know how I could check that up. I do not want to do Remove-ExchangeCertificate before being sure about it. Can you help me to verify if the certificate is still in used or not and how many certificate should exist on CASHUB and edge servers? >Get-ExchangeCertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {HUBCAS1, HUBCAS1.company.intra} HasPrivateKey : True IsSelfSigned : True Issuer : CN=HUBCAS1 NotAfter : 19/03/2011 09:52:14 NotBefore : 19/03/2010 09:52:14 PublicKeySize : 2048 RootCAType : None SerialNumber : 9310382E50022D854086857928DDC872 Services : SMTP Status : Valid Subject : CN=HUBCAS1 Thumbprint : 11O9R3085B1EF3C888AA9137147BD59B4134H572 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.company.com, mail.com-pany.com, autodiscover.company.com, autodiscover.com-pany.com} HasPrivateKey : True IsSelfSigned : True Issuer : SERIALNUMBER=7p397jecZVBvDK/8LRmP09jNJbitszI, C=FR, S=UK, L=London, O=company, OU=exchcex01, CN=mail.company.com NotAfter : 14/01/2011 21:50:40 NotBefore : 14/01/2010 21:50:40 PublicKeySize : 1024 RootCAType : None SerialNumber : 6O12542BF346FFA44407870973POPA9 Services : IMAP, POP, SMTP Status : Valid Subject : SERIALNUMBER=7p397jecZVBvseDK/8LRmP09jNJbitszI, C=FR, S=UK, L=London, O=company, OU=exchcex01, CN=mail.company.com Thumbprint : 5B3B8696C01379FE2BAE33C918CB87495EAFCE6 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.company.com, mail.com-pany.com, autodiscover.company.com, autodiscover.com-pany.com} HasPrivateKey : True IsSelfSigned : False Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US NotAfter : 16/01/2011 19:30:07 NotBefore : 14/01/2010 03:19:26 PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 0ED2DD Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=mail.company.com, OU=exchcex01, O=company, L=London, S=UK, C=FR, SERIALNUMBER=7p397jecZVBvseK/8LRmP09jNJbitszI Thumbprint : LPO16A53B9DD0997420E9BB8EA9DAACFBEA877BA0

The Services property tells you if the certificate is enabled or not. If there is a services (SMTP,IMAP,POP or IIS) listed the certificate is in use. It looks like all your certificates is enabled for at least one service but that does'nt mean that it's needed. Which certificate do you want to remove? There should be at least one certificate enabled that matches all names/FQDNs that Exchange uses, this includes both internal and external names/FQDNs. Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

You have two self signed certificates in there. Looks like one is the original certificate as installed by Exchange, the second is an attempt to install a multiple name certificate, but again using a self signed certificate and the third is your commercial certificate which expires in the new year. Have you removed some entries from the Certificate Domains list? As the third party name list is incomplete. It doesn't contain the local machine names. As such, I think if you remove the second certificate, next time Exchange restarts it may well create its own self signed certificate. As your third party certificate is due to expire in just over a month, I wouldn't touch anything for now. Do your new certificate with the common name, the autodiscover names and the server's NETBIOS and FQDN name. Once the new certificate is in, remove the other two self signed certificates, which will be close to expiry. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi, You just need to keep the certificate with Thumbprint "LPO16A53B9DD0997420E9BB8EA9DAACFBEA877BA0". This certificate is using by IIS. You can have more than one certificates for IMAP, POP, SMTP. But for IIS (your web site which hosing OWA, ActiveSync ,etc), it can only has one certificate. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT