When you attempt to remove an SSL certificate from an Exchange 2013 server you may encounter the following error.
A special Rpc error occurs on server E15MB2: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.
To be able to remove the SSL certificate you need to create a new certificate to replace the existing one as the internal transport certificate.
You can perform this task quickly in the Exchange Management Shell. The following command when run on the server in question will generate a self-signed certificate that contains the server's FQDN and NetBIOS names on it.
[PS] C:\>New-ExchangeCertificate -IncludeServerFQDN -IncludeServerNetBIOSName
You will see output similar to this, and will be prompted to confirm the change.
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'E15MB2.exchange2013demo.com' because the CA-signed certificate with thumbprint 'A0B4B98EF41324AAE7A1AFF754D69CE91A00A228' takes precedence. The following receive/send connectors match that FQDN: Default E15MB2, Client Proxy E15MB2, Default Frontend E15MB2, Outbound Proxy Frontend E15MB2, Client Frontend E15MB2.
Overwrite the existing default SMTP certificate?
Current certificate: 'A0B4B98EF41324AAE7A1AFF754D69CE91A00A228' (expires 4/11/2014 6:58:36 PM)
Replace it with certificate: '3B715DBF2871DE3C73A8E369C2FBDE7919301DAC' (expires 5/11/2017 8:41:11 PM)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
Thumbprint Services Subject
---------- -------- -------
3B715DBF2871DE3C73A8E369C2FBDE7919301DAC IP..S.. CN=E15MB2
You can now proceed with the removal of the previous certificate.
If you're interested in how Exchange handles selection of a certificate when multiple certificates are bound to the SMTP protocol, here are some articles that explain it:
- Selection of Inbound Anonymous TLS certificates
- Selection of Inbound STARTLS certificates
- Selection of Outbound Anonymous TLS certificates