If a certificate has exired (shows exipred in the event logs) then you need the thumbprint. Can find this on the outlook web access->rightclick->properties->certificates->thumbprint.
Open exchange cli:
get-exchangecertificate
-lets you see a list of all the current certificates and their thumbprints.
If the certificate isn't expired, try this:
get-exchangecertificate -thumbprint
XXXXXxxxxxxxxxxxxxxXXXXX | enable-exchangecertificate
-services "IIS,SMTP"
If the certificate HAS expired (as it says it has in the event
description: "The existing certificate for that FQDN has expired"),
and the certificate is "self signed" then you should be able to renew
the cert like this:
get-exchangecertificate -thumbprint
XXXXxxxxxxxxxxxxxxxxxxXXXXX | new-exchangecertificate
-services "IIS,SMTP,IMAP,POP"
I=Imap
p=Pop3
S=smtp
w=IIS
Remove services from a cert:
Enable-ExchangeCertificate -Services None -Thumbprint