If you’ve been managing Exchange servers for any length of time, you’ve probably experienced the nightmare of an SSL certificate expiring unexpectedly. When certificates expire, you’re looking at OWA outages, mail client connection errors, SMTP/IMAP service failures, and a whole lot of unhappy users. Today, we’ll explore comprehensive methods to check certificate expiration dates and status to prevent these headaches before they happen.
1. PowerShell (Exchange Management Shell) Methods
The most powerful and accurate way to manage Exchange certificates is through PowerShell. This gives you the most detailed information and control.
Basic Certificate Listing
Get-ExchangeCertificate
This command displays basic information about all installed certificates.
Detailed Certificate Information
Get-ExchangeCertificate | Format-List FriendlyName,Subject,Thumbprint,NotAfter,NotBefore,Services,IsSelfSigned
Check Expiration Dates and Service Assignments
Get-ExchangeCertificate | Select-Object Thumbprint,Services,NotAfter,Subject,CertificateDomains | Format-Table -AutoSize
Third-Party Certificates Only
Get-ExchangeCertificate | Where-Object {$_.IsSelfSigned -eq $false} | Format-List FriendlyName,CertificateDomains,Thumbprint,NotAfter
Certificates by Service Assignment
Get-ExchangeCertificate | Where-Object {$_.Services -match "SMTP"} | Format-List Thumbprint,Services,NotAfter,Subject
Services
Service |
Description |
|---|---|
| IIS | Web-based services (OWA, EAC, EWS) |
| SMTP | Mail transport service |
| IMAP | IMAP4 service |
| POP | POP3 service |
| UM | Unified Messaging |
2. Exchange Admin Center (EAC) Method
The EAC provides a visual interface for certificate management, making it easier to quickly assess certificate health.
Navigation Steps
- Log into Exchange Admin Center
- Navigate to Servers > Certificates
- Select the Exchange server from the dropdown
Available Information
- Certificate status (Valid, Invalid, Expired)
- Expiration dates
- Assigned services
- Subject name and issuer details
Note: EAC certificate management is available in Exchange Server 2019 CU15 and later. Earlier versions require PowerShell management.
3. MMC Certificates Snap-in
Windows’ built-in certificate management tool provides another avenue for certificate inspection.
Access Method
- Start → Run → type
mmc - File → Add/Remove Snap-in
- Select Certificates → Add
- Choose Computer account → Next
- Select Local computer → Finish
Key Locations
- Personal > Certificates: Installed certificates
- Trusted Root Certification Authorities: Root CA certificates
OAuth Certificate Check
(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List Subject,Thumbprint,NotAfter,NotBefore
4. IIS Manager Certificate Inspection
For web service certificates, IIS Manager provides direct visibility into certificate bindings and status.
Inspection Process
- Open IIS Manager
- Select server node
- Double-click Server Certificates
- Review certificate list for expiration dates
Site Binding Verification
- Sites → Default Web Site
- Click Bindings in Actions panel
- Check SSL certificates for HTTPS bindings
5. Browser-Based Real-Time Verification
The most straightforward way to verify certificate functionality in production.
Verification Steps
- Browse to
https://mail.yourdomain.com/owa - Click the padlock icon in the address bar
- Review certificate information
Online Certificate Checkers
These tools are particularly valuable for external-facing certificates and provide comprehensive security analysis.
6. Automated Monitoring Scripts
For proactive management, PowerShell automation is essential.
Certificate Expiration Alert Script
# Check for certificates expiring within 30 days
$ExpiryThreshold = (Get-Date).AddDays(30)
$ExpiringSoon = Get-ExchangeCertificate | Where-Object {$_.NotAfter -le $ExpiryThreshold -and $_.IsSelfSigned -eq $false}
if ($ExpiringSoon) {
Write-Host "Certificates expiring soon detected!" -ForegroundColor Red
$ExpiringSoon | Format-Table Subject,NotAfter,Services -AutoSize
} else {
Write-Host "All certificates are in good standing." -ForegroundColor Green
}
7. Certificate Type-Specific Monitoring
Microsoft Exchange Self-Signed Certificates
- Default 5-year validity period
- Auto-generated during Exchange installation
- Primarily used for internal SMTP communications
Third-Party CA Certificates
- Publicly trusted certificates
- Required for external services (OWA, EWS)
- Typical renewal cycles: 1-3 years
Exchange OAuth Certificates
- Server-to-server authentication
- Critical in hybrid environments
- Expiration causes OWA/EAC access issues
8. Troubleshooting Common Issues
Certificates Not Appearing in Lists
# Check Exchange Auth certificate status
C:\Scripts\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true
Empty Results from Get-ExchangeCertificate
This typically indicates OAuth certificate issues. Download and run the MonitorExchangeAuthCertificate.ps1 script from Microsoft to resolve.
Certificate Binding Verification
Ensure proper bindings between IIS sites:
- Exchange Backend: Microsoft Exchange certificate
- Default Web Site: Third-party CA certificate
9. Monitoring Schedule Recommendations
| Check Item | Frequency | Owner |
|---|---|---|
| Overall certificate health | Weekly | System Administrator |
| Expiration alerts | Daily | Automated script |
| External access testing | Weekly | Operations team |
| Renewal process review | Quarterly | IT management |
10. Best Practices for Certificate Management
Renewal Timeline
Start renewal processes at least 30 days before expiration. This provides adequate time for:
- Certificate authority processing
- Internal approval workflows
- Testing and validation
- Rollback planning if needed
Hybrid Environment Considerations
OAuth certificate management requires special attention in hybrid deployments. Certificate rotation must be coordinated between on-premises and cloud services.
Monitoring Integration
Consider integrating certificate monitoring into existing network management systems. Tools like Nagios, PRTG, or custom monitoring solutions can provide proactive alerting.
Proactive Exchange certificate management is crucial for maintaining email service availability and security. Regular monitoring, combined with automated alerting, prevents service disruptions and maintains user confidence in email systems. The PowerShell-based approaches provide the most comprehensive control and are essential for enterprise environments. However, combining multiple verification methods ensures nothing falls through the cracks.
Remember that certificate management isn’t just about expiration dates—it’s about maintaining the entire certificate lifecycle, from initial deployment through renewal and eventual replacement.