When you attempt to remove an SSL certificate from an Exchange 2013 server you may encounter the following error.
A special Rpc error occurs on server E15MB2: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.
To be able to remove the SSL certificate you need to create a new certificate to replace the existing one as the internal transport certificate.
You can perform this task quickly in the Exchange Management Shell. The following command when run on the server in question will generate a self-signed certificate that contains the server’s FQDN and NetBIOS names on it.
[PS] C:\>New-ExchangeCertificate -IncludeServerFQDN -IncludeServerNetBIOSName
You will see output similar to this, and will be prompted to confirm the change.
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'E15MB2.exchange2013demo.com' because the CA-signed certificate with thumbprint 'A0B4B98EF41324AAE7A1AFF754D69CE91A00A228' takes precedence. The following receive/send connectors match that FQDN: Default E15MB2, Client Proxy E15MB2, Default Frontend E15MB2, Outbound Proxy Frontend E15MB2, Client Frontend E15MB2. Confirm Overwrite the existing default SMTP certificate? Current certificate: 'A0B4B98EF41324AAE7A1AFF754D69CE91A00A228' (expires 4/11/2014 6:58:36 PM) Replace it with certificate: '3B715DBF2871DE3C73A8E369C2FBDE7919301DAC' (expires 5/11/2017 8:41:11 PM) [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y Thumbprint Services Subject ---------- -------- ------- 3B715DBF2871DE3C73A8E369C2FBDE7919301DAC IP..S.. CN=E15MB2
You can now proceed with the removal of the previous certificate.
If you’re interested in how Exchange handles selection of a certificate when multiple certificates are bound to the SMTP protocol, here are some articles that explain it:
The solution: https://learn.microsoft.com/en-us/exchange/troubleshoot/mailflow/cannot-remove-installed-certificate
Thank you much, problem resolved too 🙂
I have a wildcard cert thats already been installed and used on the Exchange server for SMTP and IIS, but can’t get rid of the previous UCC Cert that still has SMTP, POP3 and IMAP on it. Will the command you specify fix the issue or am I looking for another solution?
Cheers
In a similar position, this may help people as well http://byronwright.blogspot.com.au/2015/03/the-internal-transport-certificate.html
i did complete installation of e Exchange 2013 in coexistence with 2010 with big help of your comments but i got stuck with one issue which confusing me.
i have some email accounts on outlook using secure imap (993) and secure smtp (587) with using a godaddy certificate , i have imported the certificate into Exchange 2013 and applied it on all services including smtp but outlook still getting a security warning regarding the certificate as it shows that the self singed certificate is the active one on the smtp.
i tired to reapply the certificate using the power shell on the smtp but still the same issue.
i would appropriate your comments
You should change Outlook Provider:
http://ilantz.com/2013/06/29/exchange-2013-outlook-anywhere-considerations/
Someone has already generated a certificate. When I look at certs:
[PS] C:Documents and SettingssupportDesktop>get-exchangecertificate
Thumbprint Services Subject
———- ——– ——-
63B77A02B72F66A70F5317F5F9A3C4A6E51AEF2B ….. CN=localhost
3BA4DB0B2AC47E44742811AE0EC36AB6A9064659 IP..S C=CA, PostalCode=XXX…
6DA87B4F0D1E3C0E01CD371A83AF1D3A3DA8B5DE IP.WS CN=mail.xxxxx.mb….
933169E713A07F8303ACADEA03E4939E32B1E010 IP..S CN=mail.xxxxx.mb….
The 933… is expired in Jan 2012, the 3BA… is pretty much the same but expirs in 2016.
Not sure who created it, I assume it was done last year to address the expired certificate issue.
Got the indicated error trying to remove the expired certificate.
I had to turn off STARTTLS because another SMTP server was rejecting out mail after it received the certificate.
It would redo HELO after the cert send, then by MAIL FROM: it would give “500 – syntax error unrecognized command”
I think it’s sending the expired certificate.
It looks like there’s a valid unexpired certificate supposed to be already in use.
I can’t find a way to say “don’t use” for the expired other than “Remove”.
From what I see, the new certificate is already configured to be used in the
Paul, is there anyway to remove SSL completely on Exchange 2013? It’s for a very small setup and SSL seems to cause 95% of all the issues I’ve encountered while trying to get this thing up and going. Thanks.
No. SSL is important. Just configure it correctly instead of wasting time trying to remove it or work around it.
Thanks so much, this was driving me up a wall and the error message is not what I’d call intuitive.
Thank you so much, my problem was resolved.