Hello and thanks in advance for any help! I am getting the following error in BPA: The SSL certificate for 'https://domain.com' expired 10/03/2008 18:42:32. Users may be unable to connect with the server. A couple of things: - Everything is working fine - We are using a 3rd party SSL Cert that doesnt expire till 2010 - Our 3rd parts ssl cert is for mail.domain.com, not domain.com as the error states above I suspect this error might be indicating that the default self signed certificate has expired. However, I am not sure how to further verify that and if it is the case what to do about it. ?? Thanks Taorio

You can check your certificates in Certificates Management Console. From Run, start mmc. Add Certificates snap-in for Computer Account. Locate expired SelfSSL and if one exists for domain.com remove it.

Hi Taorio, You can run below command on Edge/Hub transport server to get the list of all Exchange Certificate. Get-ExchangeCertificate| FL Look for certificate which has value IsSelfSigend = true (it is your self-signed certificate) and verify that it is not attached with any of the Exchange services. Look for the second certificatewhich hasvalue of IsSelfSigned = false (it is your third party certificate) and verify that is attached with Exchange Services.

Now I am more confused.. I found the cert in question under the Cert mmc: Certificate - Intermediate Certificate Authorities - Certificate Revocation list When I use get-exchangecertificate command I get 4 certs. -3rd party cert. Expire 2010. services: POP, IIS, SMTP. Status: Unknown - SelfSigned cert. Expire5/1/2008. Services: IMAP, SMTP. Status: Invalid - SelfSigned cert. Expire 4/25/2012. Services: IMAP, SMTP. Status: Valid - SelfSigned cert. Expire 4/24/2008. Services: IMAP, SMTP. Status: Invalid So the one in question that expired (10/3/2008) is not even listed when running the exchange command, yet BPA is picking it up.

Intermediate is not the right store for server certificate. It is for certificate authorities. You should be able to locate one under Personal Certificates (make sure you are in Computer Account). It is interesting to see one is not listed when the command is run.

Under Personal Certificates are the same four that are listed under the get command. The one that BPA is picking up as expired is under the Intermediate Cert Authorities.

Can you remove the expired certificate? Was it created using SelfSSL? Is it needed?

I probably could - However, I am concerned that perhaps it is needed for something. Not sure what to do with it.

You can choose to ignore ExBPA error until you decide if the SSL cert is needed or not. Once you know it is not needed, you can remove it. One way to check is to see all IIS sites and virtual directories on that server and make sure none of them are using this certificate (or a certificate issued by this intermediate authority).

After some more digging, I found that the certificate is on our DC which is also our GC and holds all the fsmo roles. Is it possible that a cert is used in communication between our exchange server and the DC?

It is possible that you use secure LDAP using specified SSL certificate. Only you can verify if that is the case in your environment.

TaoRio wrote: After some more digging, I found that the certificate is on our DC which is also our GC and holds all the fsmo roles. Is it possible that a cert is used in communication between our exchange server and the DC? To verify which certificates are appliedwith Exchange, the command get-exchangecertificate |fl is the best practise. If the certificate that EXBPA prompted is not listed in the outcome by running the above command, thisindicates the certificate is not used for Exchange but just one additional certificate thatplaces inDC. Thus, you can ingore it. Thanks Allen