Greetings,We are running Exchange 2007, SP1. I wasn't around for the initial install and administration of this Exchange platformso some of the details are a bit murky. The Exchange 2007 installation was performed around September of 2007 and the folks who did the design opted for self signed certificates. Argh. While we may use a trusted 3rd party cert in the future, for now we are sticking with the self signed certs.I recently noticed some warnings in the event log (Application) on theHubTransport Server thatrelated to Exchange Certificates. While email transport is still working and all users are sending and receiving email with no known problems, the event (12015) states that "An internal transport certificate has expired" and the thumbprint is identified in the Event Log entry.I used the Get-ExchangeCertificate command combined with the thumbprint of the expired certificate to determine that the certificate has indeed expired. I also determined thatIMAP, SMTP, and POP were all associated with this certificate. I then looked at the other certificates in the environment and observed another certificate (again, self signed)that didn't expire until 2010 and that Certificate was also associated with IMAP, SMTP, and POP. I assume at some point that another self signed certificate was created and those services were associated with other certificate. Or perhaps the original cert was renewed and a new thumbprint is generated?I figured it was safe to remove the self signed cert which had expired as email was being delivered and also because I found another self signed cert that had SMTP associated with this other certificate that didn't expire until 2010, so I attempted to remove the expired cert via Powershell. When I ran the command to remove the expired certificate (Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx), I was informed that I could not remove the certificate as doing so would remove the certificate associated with the Transport Services. I don't recall the exact message or warning that I got, but it was something along those lines.Again, email is flowing so this isn't a critical matter I suppose. Still, I would like to clean up the certs.If anyone can shed any light on this I would appreciate. Thanks much.

Hi Martin,Yes, just make sure that all services, like IIS, POP, SMTP & IMAP, are associated with a non-expired certificate by usingGet-ExchangeCertificate | FL command and then you can remove expired certificate with Remove-ExchangeCertificate -ThumbPrint "ThumbPrint" cmdlet.References:Understanding the Self-Signed Certificate in Exchange 2007http://technet.microsoft.com/en-us/library/bb851554.aspxExchange Server 2007: Renewing the self-signed certificatehttp://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.htmlAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com

Hi, You can run cmdlt below to clone the certificate. Get-ExchangeCertificate -Thumbprint | New-ExchangeCertificate Besides, if you are not very clear with the certificate that you use. Then we can use Certificate MMC to check all the self-signed certificates under Trusted Root Certification Authorities, Trusted Publishers, and Third-Party Root Certification Authorities in the Local Computer certificate store. 1) Go to Start Run mmc.exe 2) When the MMC console opens, select File Add/Remove Snap-in, then click on Add. 3) In the list of snap-ins, select Certificates and click on Add. 4) Select Computer account and click on Next, then select Local Computer and click on Finish. 5) Close the Snap-ins list and click Ok on the Add/Remove snap-in window. 6) In the Certificate console, expand the Certificates (Local Computer) tree and verify that the Self-signed is listed under Trusted Root Certification Authorities\Certificates, Trusted Publishers and Third-Party Root Certification Authorities. Regards, Xiu