• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / How to Assign an SSL Certificate to Services in Exchange Server 2013

How to Assign an SSL Certificate to Services in Exchange Server 2013

November 4, 2012 by Paul Cunningham 73 Comments

When an SSL certificate has been installed on an Exchange 2013 server it is not automatically enabled for any of the Exchange services such as IIS (for OWA, Outlook Anywhere, ActiveSync etc), POP, IMAP or SMTP.

The administrator must manually assign the certificate to the services that the SSL certificate is intended to be used for.

In the Exchange Administration Center navigate to Servers -> Certificates and choose the server that has the SSL certificate you wish to assign. The certificate must already been in a valid status before you can proceed further.

How to Assign an SSL Certificate to Services in Exchange Server 2013
View the list of valid SSL certificates on the Exchange 2013 server

Click the edit icon and then select Services.

How to Assign an SSL Certificate to Services in Exchange Server 2013
Edit the config of the SSL certificate to assign Exchange 2013 services

Tick the boxes for the services that you wish to assign the SSL certificate to, then click Save. The typical services to assign to an SSL certificate are IIS and SMTP.

See also Checkboxes Greyed Out When Managing Services for an Exchange 2013 SSL Certificate.

If you are overwriting existing certificates you will be prompted to confirm that.

How to Assign an SSL Certificate to Services in Exchange Server 2013
Confirm overwriting existing certificates assigned to services

If you are using the same SSL certificate on multiple servers you can also export/import the certificate to those servers.

To test that the SSL certificate is working you can browse to the Outlook Web App URL for that server and see whether you receive an invalid certificate warning from your web browser.

How to Assign an SSL Certificate to Services in Exchange Server 2013
Testing certificate validity using OWA

If you’re interested in how Exchange handles selection of a certificate when multiple certificates are bound to the SMTP protocol, here are some articles that explain it:

  • Selection of Inbound Anonymous TLS certificates
  • Selection of Inbound STARTLS certificates
  • Selection of Outbound Anonymous TLS certificates

Exchange Server Certificates, Exchange 2013, SSL

Comments

  1. Mostafa says

    September 13, 2020 at 9:37 pm

    Thanks for valued Information , Paul .
    I have acertificate installed on three exchange 2016 servers contains SANs ( Mail, auto discover )
    and working fine ,

    But the problem i s when opening ecp url like : https://EXCH-server-name/ecp
    certificate invalid because doesn’t have Server names ,

    can i make once certificate for OWA and Auto discover and another for ECP urls ?

    Reply
  2. Paul says

    July 8, 2019 at 3:26 am

    Could you help please.

    We used self signed certificates currently. I’ve been asked to assign a friendly name, via our external dns, which I’ve done, to our external ip address for OWA. This is to avoid getting certificate mismatch warnings.

    I’ve purchased a new certificate against this friendly name. I’ve then bound this in IIS to the OWA site.

    When browsing to OWA, users do not get the certificate mismatch warning anymore.

    But within 30 minutes, Outlook desktop clients were getting a certificate warning. I’ve reverted back so that all services in IIS use the self signed certificate. Warnings stopped. When installing Outlook, I’m always prompted to install a self signed certificate.

    I’ve changed nothing in the Exchange Admin Center.

    Thanks.

    Reply
  3. Ed Kummel says

    September 14, 2018 at 7:07 am

    If I have a hundred servers that I need to enable the certificate on (Digicert replacement of Symantec) what kind of gotchas am I looking at. I was thinking something like:
    import-csv ExchangeServers.txt | ForEach-Object -Process {Enable-ExchangeCertificate -server $_.Server -Thumbprint “<thumbprint of cert" -Services "SMTP,IMAP,POP,IIS" }
    As far as I can tell, this should work, or am I missing something?

    Reply
  4. Ryan says

    July 18, 2018 at 3:44 am

    Hey Paul,

    I currently have Symantec certs installed on my Exchange 2013 servers, Digicert took over the service and provided me new certs without having to generate a new CSR, can I still go through this process to install these or do I need to do it another way?

    Reply
  5. rino19ny says

    March 6, 2018 at 12:52 am

    so in selecting from multiple, still valid certificates, what matters only is the “most recent Valid from date”. so two identical valid certificates, one issued (valid from) January 1 and the other issued (valid from) March 4, the latter will be selected.

    Reply
  6. Ty says

    March 4, 2018 at 11:53 am

    Hi Paul,

    I was happy to see that you were still answering some questions so I’m hoping you’d have a min to answer mine.

    I just renewed my cert, and when attempting to to assign the iis service from the gui, exchange prompts me with: “Warning: Do you want to enforce SSL communication on the root web site? If not, rerun the cmdlet with the -DoNotRequireSSL parameter”

    What is this in reference to? I’m hesitant to move forward from here.

    Thank you,

    ~Ty

    Reply
    • Paul Cunningham says

      March 4, 2018 at 4:45 pm

      Have you manually turned off the SSL requirement on the IIS website in the past?

      Reply
  7. Mina says

    February 2, 2018 at 6:00 pm

    Hello Paul,

    I have question please
    I am using a public certificate from godaddy, and I see that WMSVC certificate will be expired in few months
    Is it mandatory to renew it?

    Thanks,
    Mina

    Reply
    • Mina says

      February 2, 2018 at 6:01 pm

      Hello Paul,

      I have question please
      I am using a public certificate from godaddy, and I see that also Microsoft Exchange Server Auth certificate will be expired in a few weeks months
      Is it mandatory to renew it?

      Thanks,
      Mina

      Reply
  8. Trieu Truong says

    January 28, 2018 at 9:26 pm

    Dear Paul,

    Thank you for informative article. I am facing with the weird issue. Hopefully you can help me to solve it. In the past, I already had a Exchange certificate for our Exchange Server 2013. For now, It was expired; hence, I must renew this certificate with the new one by ADCS(certsrv) via Windows Server 2012 R2. It seem to be worked properly, but whenever our client open their outlook, the error appeared that show outlook client keeps connecting to my expired certificate.

    How could I delete permanently the old certificate?
    P/S: Although error pop-up showing off time by time, our client still send/receive message successfully.

    Reply
    • Paul Cunningham says

      January 29, 2018 at 8:36 am

      Did you enable the new certificate in Exchange? It should be enabled for IIS/HTTPS services.

      Reply
      • Trieu Truong says

        January 29, 2018 at 4:56 pm

        Yes. I already enabled the new certificates in my Exchange . In particular, I enabled SMTP, IMAP, POP and IIS. Do I need do anything else?

        Reply
        • Paul Cunningham says

          January 30, 2018 at 7:36 am

          Have you tried restarting IIS?

          Reply
          • Trieu Truong says

            January 30, 2018 at 12:08 pm

            Yes. I did restart IIS. However, outlook of client still pointing to my old certificate. Does it relate to ADDS? My Exchange Server 2013 was set up to operate on Premise.

          • Paul Cunningham says

            January 31, 2018 at 6:13 am

            Clients don’t point to certificates. They connect to an IP address based on a DNS lookup of the client access namespace. It’s possible what you’re seeing is caching on the server side, but an IIS reset should have cleared that. It’s also possible your clients are connecting to an IP address you’re not expecting them to, so you would need to use the Outlook connection status box or something like Fiddler to work that out.

  9. Patrick Groff says

    January 16, 2018 at 7:59 am

    Paul,

    Thank you for the info you supplied. I had a strange issue. I installed a new GoDaddy Cert on my servers. All the SANs have the autodiscover and the server names. I applied it to the IIS service only and OWA and phones worked fine but all of my outlook clients continued to prompt for credntials. Was I supposed to also change the SMTP service with the new cert?

    Reply
    • Paul Cunningham says

      January 16, 2018 at 9:22 am

      The certificate shouldn’t have the server names on it. It should only have the client access namespaces (e.g. OWA, EAS, Outlook Anywhere, EWS, Autodiscover, etc). If you’re getting Outlook client prompts then it’s likely you’ve missed a namespace or misconfigured a virtual directory.

      Reply
  10. Senthil Kumar says

    September 19, 2017 at 2:42 pm

    Hi Paul,

    I have the below setup. Do i need to import and export SSL to second CAS server
    EXCH-MBX1 – Mailbox Role – Installed in HQ
    EXCH-MBX2 – Mailbox Role – Installed in HQ
    EXCH-CAS1 – Mailbox Role – Installed in HQ

    EXCH-MBX3 – Mailbox & CAS Role – Installed in DR.

    All servers in same subnet. When both server fails on HQ the database moves to EXCH-MBX3 successfully but outlook can not connect.

    Reply
    • Paul Cunningham says

      September 21, 2017 at 8:59 am

      The certificate needs to be installed on all servers that are configured with the same CAS namespaces.

      Reply
  11. cuonglt says

    June 23, 2017 at 5:09 pm

    Hi Paul,
    after i assigned ssl certificate to service SMTP. i cannot send or recieve any email, email is stay in draft.
    Please help me.
    Thanks

    Reply
  12. cuonglt says

    June 22, 2017 at 7:50 pm

    Hi all,
    please help me this issue.
    after i assigned ssl certificate to service SMTP, i cant send email. if i delete ssl certificate then i send email normal.

    Thanks in advance!

    Reply
  13. RSC says

    October 26, 2016 at 11:35 pm

    I wish I had another Exchange server to look at for reference, but could you tell me if you see anything wrong with our cert stores? I’m wondering if something is out of place there. It’s hard telling who might have done what manually here. Thanks!

    http://imgur.com/a/AqfEb
    http://imgur.com/a/BmZ9O

    Reply
  14. RSC says

    October 26, 2016 at 6:16 am

    Somehow our Exchange server managed to get two certs assigned to IIS, which I believe is the reason behind the Schannel errors in the event log on the Exchange server (I posted screen shots and more details here: https://community.spiceworks.com/topic/1891263-schannel-errors-on-exchange-2013-server). Any suggestions on how I should proceed? Thank you!

    Reply
    • Paul Cunningham says

      October 26, 2016 at 12:14 pm

      Exchange 2013 has two IIS websites; a front end website, and a back end website. The back end website is usually left alone and can keep using the self-signed certificate.

      I’ve seen SChannel errors on Exchange servers when the private key for the certificate is missing or corrupt. That’s something the certificate MMC snapin could tell you.

      Reply
      • RSC says

        October 26, 2016 at 10:12 pm

        Thank you, Paul.

        Is there any way to determine what the back end is using for a cert? If I removed the self-signed and it’s attached to the back end, would the back end find the CA cert and use it?

        Both private keys are in Personal>Certificates and Trusted Root Certification Authorities>Certificates.

        Reply
        • Paul Cunningham says

          October 26, 2016 at 11:04 pm

          You shouldn’t remove the self-signed certificate. If you’ve removed it, you’ll need to replace it with another self-signed certificate containing the server’s short name and FQDN, and re-bind it to SMTP and to the back end IIS site.

          No the back end won’t “find” the CA cert and use it. IIS doesn’t pick its own certificates autonomously.

          Reply
          • RSC says

            October 27, 2016 at 6:16 am

            I didn’t remove the self-signed cert.

            I’ve read that others are excluding the Schannel events from the event viewer. I’d much rather find an answer to what’s causing them but have had 0 luck. Do you think it’s a sign of an underlying problem or are they safe to ignore if everything appears to be working OK?

  15. Maren says

    August 27, 2016 at 11:51 am

    Thank you, thank you, thank you! This sort of clear, specific information is sorely lacking in Microsoft’s documentation. You are heaven sent and now bookmarked.

    Reply
  16. Peter says

    May 16, 2016 at 4:14 pm

    What if you don’t overwrite certificate? What will happen in that case?

    Reply
    • Paul Cunningham says

      May 16, 2016 at 4:54 pm

      Exchange will continue using the certificate as the default transport certificate.

      Reply
      • Peter says

        May 16, 2016 at 8:35 pm

        Is there a way to manually undo that “No” and make it “Yes”? What will happen if default certificate expires and renewed certificate did’n overwrite? IIS works with renewed (when you open OWA) but what about smtp, is it going to work?
        Thank you for your answer.

        Reply
        • Paul Cunningham says

          May 16, 2016 at 9:12 pm

          IIRC, re-running the enable-exchangecertificate command for your preferred certificate will ask you again.

          If the default cert expires I think it’s not catastrophic but it does cause some issues. Best to avoid it of course, which I try to, hence why I can’t easily recall the bad things that happen if you don’t 🙂

          Reply
          • Bala says

            February 28, 2017 at 5:03 am

            hi Mr.paul

            after assign certificate i could not login ecp pannel

  17. David says

    April 15, 2016 at 12:47 am

    Paul,

    After importing the certificate and assigning services, I ran some connectivity tests at exrca.com to verify. It passes with a warning I’m not sure how to interpret:

    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.

    Additional Details

    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the “Update Root Certificates” feature isn’t enabled.
    Elapsed Time: 1 ms.

    Reply
  18. Jay says

    March 21, 2016 at 3:35 pm

    Hi Paul

    Thanks for the article. 1 question though, whats the purpose of assigning a certificate to SMTP? I can understand IIS for OWA.
    Is the main purpose for assigning a cert for SMTP service related to the Outlook client connection to the server encrypting the connection?
    Cheers
    Jay

    Reply
    • Paul Cunningham says

      March 23, 2016 at 2:18 pm

      SMTP connections can be encrypted using TLS, which requires a certificate.

      Reply
  19. Darrell Kuhn says

    March 5, 2016 at 10:02 am

    Here is the solution I found for how to assign the certificate to the receive connector via PowerShell nothing in the Web UI worked for me.

    You need to get the cert finger print
    [PS] C:Windowssystem32>Get-ExchangeCertificate -server MYSERVER

    Thumbprint Services Subject
    ———- ——– ——-
    ABCBADCD3C8BE1B285BE787AFA369CF558331123 …WS.. CN=mail.company.com

    Determine the connector on port 587 you want to assign the cert too.
    [PS] C:Windowssystem32>Get-ReceiveConnector -server MYSERVER

    Identity Bindings Enabled
    ——– ——– ——-
    MYSERVERClient Frontend MYSERVER {[::]:587, 0.0.0.0:587} True

    The use the following commands to assign your cert.

    Edit: removed commands that WordPress was mangling.

    Reply
    • Paul Cunningham says

      March 5, 2016 at 10:25 am

      Your syntax is mangled by WordPress, but that’s okay, I’ve covered it with correct syntax in this article already:

      https://www.practical365.com/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/

      Note, you don’t assign certificates to connectors via the Exchange Admin Center. All you can do is enable a certificate for SMTP. The steps you found are then used to tell the connector which certificate to use (because multiple certificates can be enabled for SMTP).

      Reply
  20. Richard says

    January 10, 2016 at 5:36 am

    Thanks for your helpful articles. There’s one think i’ve been struggling with for a long time and still i haven’t been able to find a solution.

    I have to certificates installed on my server: mail.myserver.net and autodiscover.myserver.net

    I can assign mail.myserver.net for iis owa etc. but it’s automatically assigning this certificate to auto discover to.. how can i set a separate auto discover certificate?

    I just can’t find the proper solution, so for now i’m not using mail.myserver but only auto discover.myserver for all services, that’s working but it’s not a nice url to use.

    Reply
    • Paul Cunningham says

      January 10, 2016 at 6:58 am

      Only one certificate can be assigned to IIS, which is then used for all HTTPS services (including Autodiscover). The solution is to use a SAN certificate.

      https://www.practical365.com/exchange-server-2013-ssl-certificates/

      Reply
  21. Oli says

    December 29, 2015 at 10:22 pm

    i installed a new certificate from GoDaddy and it’s showing as “valid” in the ecp for the services smtp and iis as describe in this post.

    anyway, the smtp service is now enabled on two certificates (the new godaddy and the old one from thawte who will expire in some weeks).

    i tried to disconnect the services on the old certificate by powershell:
    enable-exchangecertificate -Thumbprint xxxxx -Services None
    The command runs without an error, but the old certificate still exist for the smtp service.

    can someone show me how to disable the smtp service from the old cert?
    how can i check, which certificate is used by the SMTP Service? Godaddy should be prefered for this service.

    Many thanks for your answers!

    Reply
    • Paul Cunningham says

      December 30, 2015 at 9:33 am

      You can remove an expired certificate by running Remove-ExchangeCertificate with the thumbprint value for that cert.

      Reply
      • Oli says

        January 1, 2016 at 6:57 pm

        Done! Perfect! Thanks for your help

        Reply
  22. Anees says

    July 25, 2015 at 5:03 am

    Hi All,

    I am facing an issue with Exchange Certificate. I have enabled exchange services with my wild card certificate. But when I connect via IMAP, it is keep prompting for username/password. ECP is showing that services are bind with my certificate but imap is not working on port 993. Can anyone help me in this regard?

    Anees

    Reply
  23. Michel Bernabela says

    January 16, 2015 at 4:31 am

    Hi to all,

    I have a question regarding microsoft-server-activesync. I have installed a new exchange 2013 and outlook internally and owa externally (https://clientname.dyndns.org/owa) were working fine with the self-signed certificate generated during setup.

    After changing the external url for microsoft-server-activesync to “https://clientname.dyndns.org/Microsoft-Server-ActiveSync”, EAS was working but after a while now it sees a previous old certificate that I was using on the phones and that is expired.

    Also my externally “https://clientname.dyndns.org/OWA” is not working anymore and also is seeing this old certificate now. How can i solve this?

    Now only my outlook clients are connecting to outlook with the self signed certificate generated by the setup. Can I have my local outlook clients using the self signed certificate generated by the setup and create a new certificate only to be used by OWA and EAS for mobile?

    I really appreciate any help…

    Reply
    • Paul Cunningham says

      January 16, 2015 at 5:15 am

      Only one certificate can be bound to IIS on Exchange for use with OWA, EAS, and any other HTTPS services.

      Sounds like you’re seeing different results for internal vs external clients. That suggests to me that a firewall, reverse proxy, or load balancer is being used to handle the incoming connections from external devices, and that most likely has the old expired certificate still configured on it.

      Reply
  24. Vahur says

    January 9, 2015 at 10:43 pm

    Maye you have some idea about a little problem?
    I want to let my users to use a receive connector for relay – it is authenticated and requires SSL.
    I have installed a certificate for: emailserver.company.com
    This sertificate is enabled for IISI, IMAP, and SMTP. With IIS and IMAP, it’s fine – but when i try to to a SMTP session over SSL, the server offers me the default self-sigen sertificate created during install (it works – but gives a security warning for the clients). Have been trying to tell Exchange to use the emailserver.compnany.com certificate for SMTP SLL conections, but failed. I just cant make the proper certifikace as “default”, and with SMTP it’s not that simple, as with other services – if i enable the next certificate for SMTP, the previous certificates stay enabled too.
    Any thoughts?

    Reply
    • Juan Gonzalez says

      February 14, 2015 at 4:07 am

      Vahur

      Have you had any luck on this issue? i think we are experiencing the same over here.

      J

      Reply
    • Jason Parsons says

      March 13, 2015 at 3:42 am

      Hello, I have the same issue as above where my SMTP relay refuses to use the cert I purchased even though it is listed to use SMTP as one of the services. Did you get this resolved? And if so, how? – Thank you in advance!

      Reply
      • Jason Parsons says

        March 13, 2015 at 4:27 am

        Never mind, I got it figured out. You have to create a new Frontend Receive connector and change the FQDN of that new connector to the same as cert. ie. mail.domain.com

        Jason

        Reply
  25. AthenaKrause says

    December 21, 2014 at 1:22 am

    I’m extremely pleased to find this great site. I wanted to thank you for your time for this particularly wonderful read!! I definitely loved every little bit of it and i also have you book marked to check out new information on your site.

    Reply
  26. ElsaMccarter says

    December 8, 2014 at 3:07 pm

    Hi everyone, it’s my first pay a visit at this web page, and article is genuinely fruitful for me, keep up posting these articles.

    Reply
  27. Andrew says

    December 2, 2014 at 3:39 am

    Is there a way to go back and update the certificate if you opted for “no” in the gui?

    Reply
  28. Rahamathullah says

    November 19, 2014 at 5:43 pm

    Hi All,

    I am getting error once i enabled go daddy SSL certificate on passive node.

    Certificate imported from active node and enabled services. its asked to overwrite the certificate and i confirmed to proceed. after that users are getting security alert error while opening outlook from active node.

    Security alert with active node host name.

    Information you exchange with the site cannot be viewed or changed by others. However,there is problem with the site’s security certificate.

    Please help me to resolve this issue.

    Reply
  29. Ignacio Beltran says

    July 27, 2014 at 11:51 am

    Hi all, question, what types of certs exchange 2013 manages? does it allow wildcards, and multiple domains?

    Regards

    Reply
    • Paul Cunningham says

      July 27, 2014 at 8:26 pm

      Here you go:
      https://www.practical365.com/exchange-server-2013-ssl-certificates/

      Reply
  30. Ryan says

    December 3, 2013 at 7:33 am

    @Rick

    I did in the end. There’s a tool I used which takes the urls per service and the certificates you want and goes through ex2013 setting all the vdirs etc in the way I needed. I was initially sus about anything other than my hands meddling with exchange but it came recommended by another internal exchange engineer here, and worked a treat.

    And the url you’re no doubt hanging out for is this I think from a quick mobile search. http://www.digicert.com/internal-domain-name-tool.htm

    Best of luck!

    Ryan

    Reply
  31. Rick says

    November 29, 2013 at 9:51 am

    @Ryan,

    Hi Ryan,
    Did you ever get a solution for your problem, we have a similar issue we are facing and would appreciate any feedback from your experience.
    Thanks in advance
    Rick.

    Reply
  32. Ryan says

    October 31, 2013 at 7:45 am

    Hoping you can help Paul,

    I’ve setup a single server Exchange 2013 env, external webmail.domain.com and internally they access Outlook Anywhere with either exchangeserver.ad.domain.com or autodiscover.ad.domain.com (not sure which), I have two Wildcard Certs. *.ad.domain.com and *.domain.com.

    How can I secure the webmail.domain.com with the one External *.domain.com SSL cert and the other Internal outlook anywhere, which in my mind is still IIS with a different internal cert for *.ad.domain.com internally? It seems one or the other… ?

    Appreciate your thoughts…

    Reply
  33. Sharkking says

    July 19, 2013 at 11:54 pm

    Hi there,

    does anyone made it to use a wildcard cretificate with exchange 2013 and imap ?

    WARNING: This certificate with thumbprint and subject ‘*.domain.tld’ cannot used
    for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
    Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    Trying to set the fqn gives no error

    [PS] C:Windowssystem32>Set-IMAPSettings -server -X509CertificateName mail.domain.tld
    WARNING: Changes to IMAP4 settings will only take effect after all Microsoft Exchange IMAP4 services are restarted

    after service restart same error as above when trying to enable ssl.

    Reply
  34. Doug Ickes says

    June 18, 2013 at 1:18 am

    I currently have a certificate from GODaddy on my existing production Exchange 2007 Server. I am now adding Exchange 2013 to my domain to run in parallel until I have all of my mailboxes migrated. How can I take the existing cert that is running on the 2007 server and add the Exchange 2013 server to it as well,.

    My cert from GoDaddy allows for multiple domains/servers. Can I just add the new server to the cert then download and import to the 2013 Server?

    Reply
  35. cuocdoi says

    May 5, 2013 at 3:49 pm

    Hi Paul,

    For internal user/non-domain PC, do I need to create certificate ? and do I need to configure DNS record ?

    Reply
    • Paul Cunningham says

      May 5, 2013 at 4:06 pm

      I generally recommend creating new certificates instead of relying on the self-signed ones.

      Yes you’ll need to create DNS records for any names/aliases you plan to use for different services (eg mail.domain.com).

      Reply
  36. Jesse says

    April 9, 2013 at 2:37 pm

    Should we delete the old self signed certs after we get our new certificates or just leave them as is? Thank you for great information on Exchange 2013!

    Reply
    • Paul Cunningham says

      April 9, 2013 at 2:44 pm

      You can leave them. Especially if they are still bound to backend Mailbox server role services.

      Reply
  37. Troy says

    December 14, 2012 at 12:53 am

    Very informative article. I was trying to do the same method of creating, importing and enabling certs i used in 2007, and it more or less failed. Seems they changed the semantics of the powershell commands. So here is a question, I have deployed my new certs. In the past (2007) you removed the old certs. However there are 3 default certs, I am unsure if I am supposed to remove them or not, especially one of them CN=WMSvc. That sounds important?

    Reply
    • Paul Cunningham says

      December 17, 2012 at 7:01 pm

      The shell parameters have changed a bit I think. 2010/2013 make it much easier to use the console/EAC tools to manage certs (for most scenarios) so I generally recommend people just use those.

      You can leave the default certs there.

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Changes in Microsoft 365 Apps Channels and Why You Should Care
  • A New Tool to Manage Exchange-related Attributes Without Exchange Server
  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity Governance in Azure Active Directory
  • Prepare an Office 365 migration plan assessment using PowerShell

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland