I had recently renewed our godaddy certificate for E2007.. but in the last few days I started receiving errors in the event log.. I've just tried to rectify things, but no success.. can anyone look at my steps/results and see if i missed something.. The first thing i did the first time was this: Created a new request via shell: New-ExchangeCertificate -generaterequest -subjectname "c=United States, l=City, s=ST, o=DOMAIN,cn=wan1.DOMAIN.com" -domainname DOMAIN.local,exchange02.DOMAIN.local,wan1.DOMAIN.com,autodiscover.DOMAIN.com -PrivateKeyExportable $true -path D:\Data\Scripts\certrequest.txt{\rtf1} Received the crt from godaddy, stored it locally: I then ran: import-exchangecertificate -path "Y:\Data\Backups\SSL Certificates\wan1\wan1.crt" | enable-exchangecertificate -services IIS **Here is where i think i was missing one important and obvious thing.. IIS, SMTP I think it should have had both services listed.. So i thought I could just rerun the import command and add SMTP after IIS, but it gave me an error.. "Cannot import as there is already a certficate with a thumprint of 4Bxxxxx98 I'm not sure what to do from here, i'm thinking i have to issue another cert request then reimport for both IIS, SMTP at the same time (are these the only services i need to do this on?.. we dont use UM, so i'm guessing it is, we also dont use pop3) If i print out the current state of certificates here is what i see: **The one listing appears to have a goofed entry of CertificateDomains : {wan1.domain.com, www.wan1.domain.com} (i dont think this affects things though, although i'm not sure why it wasnt updated with the above command)** : AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {wan1.domain.com, www.wan1.pstnet.com}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : SERIALNUMBER=02369287, CN=Go Daddy Secure Certification Au thority, OU=http://certificates.godaddy.com/repository, O= "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USNotAfter : 11/22/2008 10:55:22 AMNotBefore : 11/20/2007 10:19:13 AMPublicKeySize : 2048SerialNumber : 41C1G4Status : ValidSubject : CN=wan1.domain.com, OU=Domain Control Validated, O=wan1.domain.comThumbprint : 4B477E861E9FE090B8F9BCE23B3EEC19D466CE98 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchange02, exchange02.domain.local}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=exchange02NotAfter : 9/24/2008 2:47:18 PMNotBefore : 9/24/2007 2:47:18 PMPublicKeySize : 2048SerialNumber : 28A3383569194CBE4E24EA086138AA9FStatus : ValidSubject : CN=exchange02Thumbprint : 5GEF0CF608A987C15684138C516F70D8E35E36A7 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchange02.domain.local}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=backup01, DC=pst, DC=localNotAfter : 11/3/2008 8:49:26 AMNotBefore : 11/4/2007 8:49:26 AMPublicKeySize : 1024SerialNumber : 1D133224000000000016Status : UnknownSubject : CN=exchange02.pst.localThumbprint : E15E7E9C8FAFD936F92335986C8C869A53CF357 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule}CertificateDomains : {wan1.domain.com, www.wan1.domain.com}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : E=practices@starfieldtech.com, CN=Starfield Secure Certifi cation Authority, OU=http://www.starfieldtech.com/reposito ry, O="Starfield Technologies, Inc.", L=Scottsdale, S=Ariz ona, C=USNotAfter : 11/22/2007 10:55:22 AMNotBefore : 11/22/2006 10:55:22 AMPublicKeySize : 1024SerialNumber : 4EE432Status : DateInvalidSubject : CN=wan1.domain.com, OU=Domain Control Validated, O=wan1.domain.comThumbprint : 9E3205CFEEF48F7FE81BBD64A79FCFCC3EA86D51 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {DOMAIN.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=DOMAIN.com, O=DOMAIN, S=ST, L=City, C=United StatesNotAfter : 11/19/2008 4:14:04 PMNotBefore : 11/20/2007 10:14:04 AMPublicKeySize : 2048SerialNumber : 9DCE287B2AF0659C42154808623817E1Status : InvalidSubject : CN=pstnet.com, O=PST, S=PA, L=Pittsburgh, C=United StatesThumbprint : 1CFC3E983AF78CC707D4495FC113A235D53AC2BD

I'm getting this error in the event log.. which is what has brought this whole question about.. There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of wan1.domain.com. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of wan1.domain.com should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

I'm also getting this error: Inbound direct trust certificate with thumbprint E15A5E7E9C8FAFD936F92335986C8C869A53CF357 has expired. Run New-ExchangeCertificate to generate a new direct trust certificate. I believe this is because my ENT CA has changed to a different server (this CA backup01, used to be a subordinate of a now dead server, i'm not sure how to fix this part)..