In a Windows Domain you have a Certificate Authority (PKI) that is handeling your domain certificates.
Ideally your monitoring system warns you BEFORE these certificates become invalid…

This article is supposed to describe, how these certificates can be renewed and what to do if that does not work.

Main Article

MMC -> Sanp-In “Certificates” add -> select computeraccount -> local computer

This output can be sorted by expiry date.

If the certificate that is is expiring has been bought by a vendor like GoDaddy or DomainFactory you have to go get a new one there and add it to the server afterwards.
Please make sure to bind the new certificate to the services where it is beeing used like Exchange or IIS afterwards.

If it is a domain certificate and the PKI is configured properly you should be able to rightclick it and renew it with a new key.

Follw the wizzard and afterwards check if the services using it work properly.
If this does not work start the IIS and create a new domain certificate:

IIS -> highlight the server -> open servercertificates

“Create domain certificate…”

Important on the first page of the wizzard is “common name”.
Here you provide the name “Servername.Domäne.local”

If your comain is called cortoso.lan and the hostname of the server is DC01, you have to enter the name “DC01.cortoso.lan”.
This is often done incorrectly and results in certificate errors.

Afterwards add the new certificate to the site-bindings of the IIS and restart the IIS service.

After the renewal of the certificate we have to remove the old one from the certificate storage or the monitoring will still trigger.

MMC > Certificate Authority > Certificates Issued

When looking and what certificate blueprint has been used and by whoom it has been requested you can guess what it is used for.
Delete it if you do not need it anymore, extend it if it is still needed.