Hi all A self signed certificate expired on our Excgange 2007 CAS server. Outlook 2007 clients started getting a pop up that the certificate has expired and in the Excange server's eventviewer noticed this error: Event Type: Error Event Source: MSExchangeTransport Event Category: TransportService Event ID: 12016 Date: 8/22/2008 Time: 6:25:24 AM User: N/A Computer: XXXXXXXXXXXX Description: There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of XXXX.XXXXXX.org. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of hhuexch.hhunited.org should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task. I went through the follwong process to fix this. 1. Created a new Certificate using new-ExchangeCertificate -generaterequest -domainname <FQDN> -path c:\certreq.txt 2. Open CA URL, click Request a certificate, then Advanced certificate request, then Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file. 3. Copy the contents of the certreq.txt file in the field under Saved Request. 4. Select Web Server under Certificate Template. 5. Click Submit. 6. Click Download certificate and save the CER file to the C: drive. 8. Import the new certificate: import-Exchangecertificate -path c:\certnew.cer |enable-exchangecertificate -services SMTP 9. Deleted the old expired cert from the Local Computer store 10. I also did a enable-exchangecertificate -thumbrint XXXXXXXXXX -services SMTP 11. Started the Transport Service, and the problem seemed to have gone away from the server's point of view and all is well. But Outlook clients, only Outlook 2007 seem to get a pop up error when you open Outlook where it still appears to be looking for the old certificate that I deleted out of the Exchange Server's local coputer certificate store. (Outlook 2003 clients do not seem to get the error) Why is outlook still looking for the wrong certificate or rather not looking at the newly created one. Marcel

What cert have you assigned for IIS? Have you assinged the new cert which I assume in from your internal CA? Peformed an IIS reset /noforce after that?Sukh

I see that cert in IIS as well, tried the IIS reset but that did not help. I did not assign a spesific cert to IIS.

Run Get-ExchangeCertificate | fl and see if the new cert is assigned to IIS, I assume you have all the names you want in there. OLK doesn't rely on the SMTP assigned cert, that's for Exch.Sukh

Yoohoo! Problem solved ... All I did was a enable-exchangecertificate -thumbrint XXXXXXXXXX -services IIS and now it works ...

Now you now that OLK relies on IIS cert and not the SMTP cert.Sukh

Now you now that OLK relies on IIS cert and not the SMTP cert.Sukh

Indeed. Thanks for your guidance :)