Firstly, you cannot see that the CMG certificate is expiring in the ConfigMgr console. I've asked the Product Group to add this as a Management Insight or at least to expose the expiration date in the console.
Usually the only way you will be reminded about the expiring certificate will be an email from your certificate vendor (DigiCert in my case).
DigiCert remind you when the certificate is expiring in 90 days. There is no penalty for renewing early. When you renew early, DigiCert adds the remaining time from your current certificate to your new certificate (up to 3 months). You don't have to wait until the day before your certificate expires just to get your money's worth.
I have received the email and can now see the "Renew now" option in the DigiCert portal.
Should I renew the cert or generate a new one?
Technically, when you renew a certificate, you are purchasing a new certificate for the domain and company. Industry standards require Certificate Authorities to hard code the expiration date into the certificates. When a certificate expires, it is no longer valid and there is no way to extend its life. So, when you "renew" your certificate, DigiCert must issue a new one to replace the expiring one. So it's not really a renewed certificate.
What does renewing mean then?
To make renewing a certificate easier, DigiCert (and other vendors) automatically includes the information from the expiring certificate in the renewal wizard. However, because you're ordering a new certificate, you can update any of the information during the order process, if needed. Note that if you change any of your organization’s information (location, etc.) you may need to provide new validation documentation to verify the changes.
I decided to go for a new certificate.
I generated a new CSR using the vendor tool with the same details as the previous certificate.
The certificate was approved and I could download the .crt file.
I imported the .crt file into the tool to complete the process and associate with the private key.
Then I was able to export the certificate to a usable format.
Selected .pfx with the private key, entered a password......
....and the new certificate was ready.
So what now? Is it just as simple as replacing the certificate in the properties of the CMG? Yes, it is. Simply browsed to the new certificate, entered a password and clicked Apply.
You can monitor activity in the Operations logs in Azure.
Finally you can run the CMG Connection Analyzer to make sure that everything is OK.
Will the world end if the certificate expires?
Not really. Your internet clients won't break and will still have the same functionality. You just won't be able to manage them over the internet though. When you eventually add a new certificate you will not have to take any action on the clients.
I hope this helps. Until next time.....