Prior to Exchange Server 2013, the Exchange application did not automatically notify administrators of a pending upcoming certificate expiring. One of the issues we administrators run into is expiring certificates. If the Exchange environment has a certificate that expires, then typically, trusted access via clients is interrupted.
The good news is that during an Exchange Risk Assessment Program (EXRaaS), for our Premier customers, we ask the question, what is you companies’ process to notify of impending certificate expirations? Most third party certificate providers do send a notification, usually via e-mail, to customers to renew their certificates. And why wouldn’t they want you to know, since they will once again get your money for a renewed certificate?
Members in important groups
Back around August of 2013, I was preforming an EXRaaS for a customer and wanted to confirm their process to get notified. They said yes, they have not only an SMTP address with their 3rd party certificate vendor, but that they have created a Distribution Group to send to multiple people to get the alert. Very good I said. However, they pointed out that, recently there was NO ONE IN THE GROUP!
I asked what? They said the engineers that were in the group had eventually left the company. Now I could understand this at some level, since when you delete an AD object, do you actually ever confirm if the groups the user is a member of, are important to your organization? You don’t either. Well guess what, you should!
So moral of the story: use an SMTP address assigned to a group for your certification renewal notification, AND take steps to ensure that at least someone is in that group and available within 30 days (the typical default time) of all calendar dates within an entire year.