Home » Exchange Server » Exchange 2013: The Internal Transport Certificate Cannot be Removed

Exchange 2013: The Internal Transport Certificate Cannot be Removed

When you attempt to remove an SSL certificate from an Exchange 2013 server you may encounter the following error.

A special Rpc error occurs on server E15MB2: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

To be able to remove the SSL certificate you need to create a new certificate to replace the existing one as the internal transport certificate.

You can perform this task quickly in the Exchange Management Shell. The following command when run on the server in question will generate a self-signed certificate that contains the server’s FQDN and NetBIOS names on it.

You will see output similar to this, and will be prompted to confirm the change.

You can now proceed with the removal of the previous certificate.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. TJ says:

    Paul, is there anyway to remove SSL completely on Exchange 2013? It’s for a very small setup and SSL seems to cause 95% of all the issues I’ve encountered while trying to get this thing up and going. Thanks.

  2. MD says:

    Someone has already generated a certificate. When I look at certs:
    [PS] C:Documents and SettingssupportDesktop>get-exchangecertificate

    Thumbprint Services Subject
    ———- ——– ——-
    63B77A02B72F66A70F5317F5F9A3C4A6E51AEF2B ….. CN=localhost
    3BA4DB0B2AC47E44742811AE0EC36AB6A9064659 IP..S C=CA, PostalCode=XXX…
    6DA87B4F0D1E3C0E01CD371A83AF1D3A3DA8B5DE IP.WS CN=mail.xxxxx.mb….
    933169E713A07F8303ACADEA03E4939E32B1E010 IP..S CN=mail.xxxxx.mb….

    The 933… is expired in Jan 2012, the 3BA… is pretty much the same but expirs in 2016.
    Not sure who created it, I assume it was done last year to address the expired certificate issue.
    Got the indicated error trying to remove the expired certificate.

    I had to turn off STARTTLS because another SMTP server was rejecting out mail after it received the certificate.
    It would redo HELO after the cert send, then by MAIL FROM: it would give “500 – syntax error unrecognized command”
    I think it’s sending the expired certificate.
    It looks like there’s a valid unexpired certificate supposed to be already in use.
    I can’t find a way to say “don’t use” for the expired other than “Remove”.
    From what I see, the new certificate is already configured to be used in the

  3. Tarek says:

    i did complete installation of e Exchange 2013 in coexistence with 2010 with big help of your comments but i got stuck with one issue which confusing me.

    i have some email accounts on outlook using secure imap (993) and secure smtp (587) with using a godaddy certificate , i have imported the certificate into Exchange 2013 and applied it on all services including smtp but outlook still getting a security warning regarding the certificate as it shows that the self singed certificate is the active one on the smtp.

    i tired to reapply the certificate using the power shell on the smtp but still the same issue.

    i would appropriate your comments

Leave a Reply

Your email address will not be published. Required fields are marked *