When you attempt to remove an SSL certificate from an Exchange 2013 server you may encounter the following error.

Exchange 2013: The Internal Transport Certificate Cannot be Removed

A special Rpc error occurs on server E15MB2: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

To be able to remove the SSL certificate you need to create a new certificate to replace the existing one as the internal transport certificate.

You can perform this task quickly in the Exchange Management Shell. The following command when run on the server in question will generate a self-signed certificate that contains the server’s FQDN and NetBIOS names on it.

[PS] C:\>New-ExchangeCertificate -IncludeServerFQDN -IncludeServerNetBIOSName

You will see output similar to this, and will be prompted to confirm the change.

WARNING: This certificate will not be used for external TLS connections with an FQDN of 'E15MB2.exchange2013demo.com' because the CA-signed certificate with thumbprint 'A0B4B98EF41324AAE7A1AFF754D69CE91A00A228' takes precedence. The following receive/send connectors match that FQDN: Default E15MB2, Client Proxy E15MB2, Default Frontend E15MB2, Outbound Proxy Frontend E15MB2, Client Frontend E15MB2.

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'A0B4B98EF41324AAE7A1AFF754D69CE91A00A228' (expires 4/11/2014 6:58:36 PM)
Replace it with certificate: '3B715DBF2871DE3C73A8E369C2FBDE7919301DAC' (expires 5/11/2017 8:41:11 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Thumbprint                                Services   Subject
----------                                --------   -------
3B715DBF2871DE3C73A8E369C2FBDE7919301DAC  IP..S..    CN=E15MB2

You can now proceed with the removal of the previous certificate.

If you’re interested in how Exchange handles selection of a certificate when multiple certificates are bound to the SMTP protocol, here are some articles that explain it:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Heinz Rahn

    Thank you much, problem resolved too 🙂

  2. Dave

    I have a wildcard cert thats already been installed and used on the Exchange server for SMTP and IIS, but can’t get rid of the previous UCC Cert that still has SMTP, POP3 and IMAP on it. Will the command you specify fix the issue or am I looking for another solution?

    Cheers

  3. Tarek

    i did complete installation of e Exchange 2013 in coexistence with 2010 with big help of your comments but i got stuck with one issue which confusing me.

    i have some email accounts on outlook using secure imap (993) and secure smtp (587) with using a godaddy certificate , i have imported the certificate into Exchange 2013 and applied it on all services including smtp but outlook still getting a security warning regarding the certificate as it shows that the self singed certificate is the active one on the smtp.

    i tired to reapply the certificate using the power shell on the smtp but still the same issue.

    i would appropriate your comments

  4. MD

    Someone has already generated a certificate. When I look at certs:
    [PS] C:Documents and SettingssupportDesktop>get-exchangecertificate

    Thumbprint Services Subject
    ———- ——– ——-
    63B77A02B72F66A70F5317F5F9A3C4A6E51AEF2B ….. CN=localhost
    3BA4DB0B2AC47E44742811AE0EC36AB6A9064659 IP..S C=CA, PostalCode=XXX…
    6DA87B4F0D1E3C0E01CD371A83AF1D3A3DA8B5DE IP.WS CN=mail.xxxxx.mb….
    933169E713A07F8303ACADEA03E4939E32B1E010 IP..S CN=mail.xxxxx.mb….

    The 933… is expired in Jan 2012, the 3BA… is pretty much the same but expirs in 2016.
    Not sure who created it, I assume it was done last year to address the expired certificate issue.
    Got the indicated error trying to remove the expired certificate.

    I had to turn off STARTTLS because another SMTP server was rejecting out mail after it received the certificate.
    It would redo HELO after the cert send, then by MAIL FROM: it would give “500 – syntax error unrecognized command”
    I think it’s sending the expired certificate.
    It looks like there’s a valid unexpired certificate supposed to be already in use.
    I can’t find a way to say “don’t use” for the expired other than “Remove”.
    From what I see, the new certificate is already configured to be used in the

  5. TJ

    Paul, is there anyway to remove SSL completely on Exchange 2013? It’s for a very small setup and SSL seems to cause 95% of all the issues I’ve encountered while trying to get this thing up and going. Thanks.

  6. JoshM

    Thanks so much, this was driving me up a wall and the error message is not what I’d call intuitive.

  7. Andrey Oliveira

    Thank you so much, my problem was resolved.

Leave a Reply