If a certificate has exired (shows exipred in the event logs) then you need the thumbprint. Can find this on the outlook web access->rightclick->properties->certificates->thumbprint.
Open exchange cli:
-lets you see a list of all the current certificates and their thumbprints.
If the certificate isn't expired, try this:
XXXXXxxxxxxxxxxxxxxXXXXX | enable-exchangecertificate
If the certificate HAS expired (as it says it has in the event
description: "The existing certificate for that FQDN has expired"),
and the certificate is "self signed" then you should be able to renew
the cert like this:
XXXXxxxxxxxxxxxxxxxxxxXXXXX | new-exchangecertificate
Remove services from a cert:
Enable-ExchangeCertificate -Services None -Thumbprint