• Home
  • About
  • Blog
  • Training
  • Books
  • Contact
  • Advertise
    • Email
    • Facebook
    • Twitter
    • RSS

Practical 365

  • Office 365
  • Exchange 2019
  • Exchange 2016
  • Exchange 2013
  • Hybrid
  • Certificates
  • PowerShell
  • Migration
You are here: Home / Exchange Server / How to Remove an SSL Certificate from Exchange Server 2013

How to Remove an SSL Certificate from Exchange Server 2013

January 8, 2015 by Paul Cunningham 42 Comments

Victor asks:

I assigned a new SSL cert to the SMTP service on my Exchange 2013 server and got the prompt about overwriting the old one. However, the old cert is still bound to the SMTP service and I can’t uncheck the box. Do I need to reboot the server or can I just restart the SMTP service to unbind it?

Certificates bound to SMTP are a little different than other services on an Exchange server. If you bind a certificate to IIS for example, it removes the binding for any previous certificate, and becomes the only certificate bound to that service. However with SMTP you can have multiple SSL certificates bound to the service.

Here's an example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[PS] C:\>Get-ExchangeCertificate | select thumbprint,services,notafter,subject,certificatedomains | where {$_.Services -
match "SMTP"} | fl
 
 
Thumbprint         : 21D75A8C5BA4003005DF16D5EF577DE4563114D1
Services           : IMAP, POP, IIS, SMTP
NotAfter           : 10/08/2015 10:00:00 PM
Subject            : CN=mail.exchangeserverpro.net, OU=IT Department, O=LockLAN Systems Pty Ltd, L=Hemmant, S=Qld, C=AU
CertificateDomains : {mail.exchangeserverpro.net, AutoDiscover.exchangeserverpro.net, exchangeserverpro.net,
                     smtp.exchangeserverpro.net, pop.exchangeserverpro.net, imap.exchangeserverpro.net}
 
Thumbprint         : E769A3DB29AA4EA612B2C27D78CE01EBDB1C7005
Services           : SMTP
NotAfter           : 11/06/2019 7:40:13 PM
Subject            : CN=EX2013SRV1
CertificateDomains : {EX2013SRV1, EX2013SRV1.exchangeserverpro.net}
 
Thumbprint         : 5C5E9124B0960BBFB570596AAE6902742D95361E
Services           : SMTP
NotAfter           : 27/05/2019 10:05:25 PM
Subject            : CN=EX2013SRV1
CertificateDomains : {EX2013SRV1, EX2013SRV1.exchangeserverpro.net}

As you can see I've got my SAN certificate bound to IMAP, POP, IIS, and SMTP. But then I've also got two additional certificates bound to SMTP. These are self-signed certificates created by Exchange setup.

Why do I have two? It's possible I've reinstalled this server at some stage, or manually created one of them. Regardless, you can see that multiple certificates are bound to SMTP, which is the point I'm making.

Anyway, let's say for some reason we want to remove one of those self-signed certificates, or at the very least unbind it from SMTP. To bind a certificate to a service we use Enable-ExchangeCertificate, however there is no corresponding Disable-ExchangeCertificate cmdlet.

As Victor points out, trying to do it via the Exchange Admin Center is impossible – the tick box is greyed out.

However we still have a PowerShell solution to the problem. If you look closely at the documentation for Enable-ExchangeCertificate you can see that the -Services parameter accepts a value of “None”.

So this command will set the certificate with a thumbprint of “5C5E9124B0960BBFB570596AAE6902742D95361E” to be bound to no services on the server.

1
[PS] C:\>Enable-ExchangeCertificate -Services None -Thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E

If you want to remove the certificate from the server entirely use Remove-ExchangeCertificate. However, don't do this until you're 100% sure you don't need the certificate any more. I have seen customers who delete a certificate only to later realise that the server was still using that certificate for something.

1
2
3
4
5
6
[PS] C:\>Remove-ExchangeCertificate -Thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E
 
Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E from the computer's certificate store?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

If you're interested in how Exchange handles selection of a certificate when multiple certificates are bound to the SMTP protocol, here are some articles that explain it:

  • Selection of Inbound Anonymous TLS certificates
  • Selection of Inbound STARTLS certificates
  • Selection of Outbound Anonymous TLS certificates
Paul Cunningham

Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.

Exchange Server Certificates, Exchange 2013, PowerShell, SSL

Comments

  1. Victor Solis says

    January 9, 2015 at 2:15 am

    Thanks for creating this post. What would happen if I left two SSL certs bound to the SMTP service and one expired and one remained valid. Would the Exchange server still continue to pass traffic via the valid one and just ignore the expired one?

    Reply
    • Paul Cunningham says

      January 9, 2015 at 8:56 am

      Exchange has some intelligence of its own for choosing the “correct” certificate to use for a given SMTP connection, however I would disable and remove any expired certificates.

      Reply
      • snns says

        August 31, 2015 at 9:18 pm

        could you please give a little more details about “intelligence of its own for choosing the “correct” certificate to use for a given SMTP connection”?

        Reply
        • Glen Buktenica says

          May 3, 2016 at 8:51 pm

          When one service is bound to two certificates, Exchange uses the last certificate that was bound. So normally this will be the non-expired certificate as it is newer.

          Reply
  2. Stanly Ipkiss says

    January 9, 2015 at 10:47 pm

    Is this true also for the IMAP and POP service ? If I have three certificates assigned to the IMAP and POP service and two of them expire tomorrow, but the 3rd one is still valid – Exchange will be aware to use the 3rd certificate or I will have to re-apply the services to the 3rd certificate?

    Thank you in advance.

    Reply
  3. Andrew says

    January 17, 2015 at 3:56 am

    This seems to have no effect in my environment (2013 CU6)

    I have a certificate which is assigned to IMAP, POP, IIS and SMTP. When I try to enable the cert with parameter -Services None, it has no effect. I tried assigning the services to another certificate first, but the IMAP, POP and SMTP services remain on the original certificate and the command still has no effect. I also attempted the -Services None on a certificate that had only SMTP, and it again had no effect.

    Also, your example uses “$null” for the Services parameter, but it should be “None”

    Reply
    • Andrew says

      January 17, 2015 at 4:00 am

      correction, I’m running CU7

      Reply
    • Lou Yovin says

      January 19, 2015 at 7:28 am

      Same here. I see several places in TechNet where that (none) no longer works. You have to remove the other certs. Hope not.

      Reply
    • Martin Lebel says

      January 20, 2015 at 8:24 am

      Try reassigning the “current” certificate to the SMTP services until it ask you: “Overwrite the existing default SMTP certificate?” Then assign “none” to the revoked/expired one and finally remove the revoked/expired one. Did this the trick for me.

      Reply
  4. Stefano says

    May 13, 2015 at 10:24 am

    Pretty sure this is just not possible: https://technet.microsoft.com/en-us/library/aa997231(v=exchg.150).aspx

    “The Enable-ExchangeCertificate cmdlet is additive. When you specify a subset of services for which a certificate is enabled, the services that aren’t specified aren’t removed from the Services property. If you don’t want to use an existing enabled certificate for Exchange services, you must enable another certificate, and then remove the certificate you don’t want to use. “

    Reply
  5. IT says

    October 2, 2015 at 9:47 am

    Yeah. This isn’t working for me at all. It basically does nothing when I do this. (Exchange 2013 CU8).

    I think this may have been something that worked early on, but, for obvious reasons, was fixed. I can’t imagine Enable-ExchangeCertificate would be best configured to override existing settings.

    Pretty lame that I can’t unassign from services prior to deleting. Seems like this is a basic feature that should be available to any admin working with SSL.

    But I suppose any less than optimal elements of Exchange administration are more incentive to go to Exchange Online.

    Reply
  6. GotMale says

    October 7, 2015 at 12:09 pm

    No issues with creating and assigning services to the new SSL cert via ECP. I’m now wanting to remove the old 3rd party SSL cert and decided that I should verify our environment via powershell

    Both the old and new 3rd party SSL certs DO NOT appear in get-exchangecertificate commands run on either of our CAS boxes. These certs DO appear within ECP.

    Any explanation as to why this is occurring?

    Reply
  7. GotMale says

    October 8, 2015 at 11:13 am

    I resolved the issue myself, needed to add in the -server switch which then revealed the 2 SSL certs.

    As for removing services using the provided command. That did nothing. No error reported but no change in services assigned to the old cert that I wanted to remove. Perhaps the -verbose switch could reveal more.

    If any services or other actions are required post command they should be listed.

    I deleted the old cert via ECP. This removes the cert from the local certificate store. No services needed to be restarted.

    Reply
  8. Marin says

    November 25, 2015 at 9:34 pm

    What if I dont want to use certificates at all, can I remove the self signed certificates? Will this brake Exchange 2016?
    I have an environment that will never be in internet, so I dont really need certificates, I want to use http.

    So can I use Remove-ExchangeCertificate to remove the default certificates?

    Reply
    • Paul Cunningham says

      November 26, 2015 at 7:21 am

      Certificate use is required. You’ll break Exchange by trying to avoid using certificates.

      Reply
  9. Jeff says

    February 19, 2016 at 5:34 am

    We have an issue where the local PKI certificates (For RDP etc…) are overriding the Exchange certificates. When we try to assign the proper cert it says the PKI one takes precedence. Is there any way to override this behavior?

    Reply
    • Will says

      August 17, 2016 at 2:16 am

      Did you ever find a solution to this issue? We ahve the same issue

      Reply
  10. artur says

    April 1, 2016 at 12:39 pm

    I am also not able to “un-assign” the old certificate. Going to wait till the expiration date and delete it then I suppose. Running Exchange 2012 CU11.

    Reply
  11. Kris says

    April 26, 2016 at 6:39 pm

    I have a self signed certificate going to expire today on two of my Hub/CAS servers and I see the SMTP service is still assigned to it. I do have a SAN certificate that also has the SMTP service assigned to it. My question is if I let the certificate expire will this cause Exhange Hub transport issues or will I be okay because I have another valid cert with SMTP? Also does it hurt to just renew the self signed cert to be on the safe side or is it better to just remove and not use self signed cert? Any info you can provide woul be appreciated. Bit nervous as I don’t know what the behavior will be when cert expires. By the way Running Exchange 2010 SP3.

    Reply
    • Janine says

      June 21, 2016 at 5:43 pm

      Hi Kris,

      I have the same situation – a self signed certificate with only the SMTP service assigned to it that is due to expire next week. I have a third party SAN certificate that also has the SMTP service assigned to it.
      What happened when your self signed certificate expired?
      Thanks

      Reply
  12. Tyler watthanaphand says

    May 7, 2016 at 8:38 am

    I’ve run into some strange issue. using the “None” trick doesn’t seem to work. I’m currently stuck using a self signed certificate, it’s the only way TLS works.

    Deleting the self signed cert, even if there is a newly imported one, causes SMTP to not use TLS at all. Get-ExchangeCertificate even shows SMTP is assigned to it, and it refuses to use TLS.

    Reply
  13. Simon says

    June 1, 2016 at 5:49 pm

    IIS service is assigned to both my SAN certificate and my server certificate on my test Exchange 2013 servers , is that normal ? If this isn’t how do I resolve issue. thanks

    Reply
    • Paul Cunningham says

      June 1, 2016 at 11:25 pm

      Yeah that’s normal. 2013 and 2016 have two IIS websites, Default and Backend. When you manage the IIS cert via the Exchange tools you’re changing the cert for the Default (which is for the frontend services) website.

      If you look at the bindings for the two sites in IIS manager you’ll see which cert is used for each. It’s fine for the self-signed cert to be bound to the backend.

      Reply
  14. Simon says

    June 2, 2016 at 8:43 am

    Thanks Paul

    Reply
  15. Peter Henry says

    June 8, 2016 at 4:58 am

    Paul,

    I am trying to use an imported wildcard certificate on my Exchange 2013 server. This same cert installed fine on another Exchange 2013 server in the environment and shows up as “Valid” there. On this particular exchange server, however, it shows up as “Invalid”. The Exchange 2013 servers are identical. My thought is to simply delete the certificate on the one that is showing invalid (it is not assigned to any services), and then attempt to copy the working one from the other Exchange 2013 server. Is there any downside to removing an invalid wildcard certificate from an Exchange 2013 server if the same certificate is being used on other servers in the environment?

    Reply
  16. Chris Parker says

    June 9, 2016 at 4:39 am

    This does not work. Exchange 2013 CU9. Commands run without error but old cert remains assigned to SMTP (and others.)

    I’m in a hybrid configuration with just one server but I hesitate to remove the certificate outright.

    Reply
  17. Leo says

    October 4, 2016 at 1:23 am

    Lots of questions for this topic but no answers. Is it by design that in Exchange 2013 CU9 or later that certain certificate commands have no effect. I’m on CU13 trying to Install a new CAS server into the environment but users are getting errors in outlook about the the certificate not being valid. The self signed (server name) server is being displayed in the error. I am unable to removed the services from this cert from both the ECP or powershell. Grayed out in ECP and not effect in powershell. the command yields no errors. -services none

    Reply
    • Paul Cunningham says

      October 4, 2016 at 9:52 pm

      If you’ve installed a new CAS into the environment you should be immediately setting the Autodiscover SCP to match the other CAS in the site, and exporting/importing the SSL certificate from an existing server to the new server to be used for IIS/Exchange services.

      Reply
  18. William Henderson says

    November 3, 2016 at 4:03 am

    Paul,

    I am investigating an issue I have after having to rebuild one of my Exchange 2013 servers. Some users are getting the following error when they send and receive:

    “Microsoft Exchange reported error (0x8004010F) : The operation failed. An object cannot be found.” This error does not seems to show for all users.

    Reply
  19. Max says

    November 9, 2016 at 11:38 pm

    Same problem here.
    Exchange 2013 CU 10.
    I’ve successful replaced the previous certificate with a new one, now both ECP and Get-ExchangeCertfificate cmdlet return both certificate bound to the services.
    By ECP I’m unable to unbind the old certificate to the services because the checkboxes are greyed-out.
    By using the Enable-ExchangeCertificate cmdlet (also passing the -Server switch) with “-Services” switch to “none” I receive no errors, but still seeing the bindings for the services to both old and new certificates.
    I would try to remove the old certificate (if this will be possible, I suppose I would receive some errors because it is still bound to some services) but in case I’ll be successful I would not find any issue, because actually all is running fine, except for the warning by accessing the ECP GUI on the top right of the page.

    Any suggestion?

    Thanks
    Max

    Reply
  20. Dan B. Lee says

    November 16, 2016 at 8:50 am

    I’m in the same boat as the last folks here. I’m showing two certificates actually have IIS enabled on them (Exchange 2013 CU 11 Updated). One is my old certificate, and no matter what I do I can’t uncheck the IIS (or any service for that matter). The other is my new certificate, which has the exact same services enabled.

    The old certificate expires in 4 days. Am I to assume that the Exchange Server will be smart enough to figure out that the new certificate with IIS, SMTP, POP, and IMAP enabled is the one it needs to look for? Or should I delete it now?

    This is a production server, so I’m obviously a little worried about just letting this ride into expiration. I’d much rather have the services only on the new cert and have my old cert without services tied to it, not deleted so I can go back to it if I need to.

    Any suggestions?

    Reply
  21. Wladinho says

    February 4, 2017 at 11:46 pm

    Hi guys,

    I have same problem with SMTP service assigned to self-signed certificate.
    For all Outlook / Autodiscover users, everything is fine, but IMAP / SMTP clients getting wrong certificate from Exchange servers.
    Comodo certificate is assigned also to all needed services.
    Does anyone have a solution for that problem, because Enable-ExchangeCertificate -Service None, doesn’t work for me.

    Regards,

    Reply
    • Paul Cunningham says

      March 8, 2017 at 8:10 am

      Probably this:

      https://practical365.com/exchange-server/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/

      Reply
  22. Robert says

    March 7, 2017 at 10:37 pm

    Hi I had the same problem as many other, could not set the service to None (or could but nothing happened) and could not remove it so I did the following:
    1. Removed the IIS role back to the OLD certificate (it now has all active roles IIS/SMTP/IMAP/POP). Close the browser and start it again to be sure you are on the correct certificate.
    2. Remove the NEW certificate.
    3. Click “renew” on the OLD certificate (I probably did the wrong thing before and just added a New certificate). Do the Whole procedure With getting a certificate.
    4. Now I have an OLD certificate With IIS/SMTP/IMAP/POP role and a NEW certificate With IMAP/POP role, when I activate the IIS/SMTP role I get A question if I want to transfer the active SMTP role to the New Certificate, click yes.
    5. Now I stop the Exchange transport service and run the command to remove the OLD certificate and “FINALLY” its gone and birds are flying in the sky and I again feel the IT-GURU-SUPERPOWERS are pumping in my veins 🙂 Good Luck Folks!

    Reply
  23. robert says

    March 7, 2017 at 11:24 pm

    6. Forgot to mention that you need to start the Exchange transport service again of course 🙂

    Reply
  24. Ricardo says

    April 14, 2017 at 10:39 pm

    I am getting error ” The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop…” when trying to remove an expired certificate. We already have a new certificate since last year.

    Reply
  25. Lascelle Brown says

    May 4, 2017 at 12:39 pm

    I tried to remove he service and was not able to with your method.
    My SMTP and IIS are bind to (Microsoft Exchange Server Auth Certificate)
    When I open outlook I get the error message “There is a problem with the proxy server’s certificate. The security certificate is not from a trusted certificate authority.
    Outlook is unable to connect to the proxy server mail.domain.com (Error Code 8).”
    Anyone have any ideas?
    Thank you

    Reply
    • Paul Cunningham says

      May 4, 2017 at 1:03 pm

      You’ll need to look at the properties of the certificate, either in the Exchange console/shell or in the certificate manager snapin for the server. If your cert isn’t set up correctly for your client access namespaces then that is something you’ll need to address.

      Reply
  26. Paul says

    June 12, 2017 at 2:51 am

    We recently installed a new certificate as one we had was expiring. After changing all services over and waiting for the original certificate to expire, we received 3 alerts in the EAC (we have 3 servers) about an expired certificate. After running the Remove-ExchangeCertificate command on each server, it removed 2 alerts, but we still receive a warning on 1 of our servers. I checked the personal store and Get-ExchangeCertificate command, but see no reference of the certificate.

    The server in question also has an event (12023) referencing that it couldn’t load the old expired certificate from the personal store. We have performed restarts on each server since removing the certificate.

    Any ideas?
    Thanks in advance.

    Reply
  27. Robert says

    December 14, 2017 at 8:46 am

    This deinitely does not work. When i try to run the command, the cmd completes successfully but nothing is changed. I dont want to just remove the certificate either in case its needed for something.

    Reply
  28. Maxello Fonseca says

    March 23, 2019 at 6:21 am

    Paul Cunningham,
    I do not know if I’m in the correct article, however I’m trying to perform the removal of an Exchange Server 2010 service.
    A colleague attempting to install the Management Console eventually installed the server roles on their workstation. We are having problems in the deletion step of the database created at the time of uninstalling Exchange. When connecting to the Management Console of my workstation, I verify that the colleague’s machine is being recognized as a server.
    Would you have guidance regarding removal of the service?

    Maxello Fonseca

    Analyst Infrastructure

    Reply
  29. Mike says

    July 19, 2019 at 2:25 pm

    So it’s obviously been a while since this article was posted, but. . .has anyone been able to remove SMTP from a self-signed cert? The cert that’s bound to the Exchange back-end site in my environment also has SMTP enabled, and it’s showing up as an issue on a pen test. It’s clear that “-Services -None” is no longer an option, but I’m just not sure what is.

    On an unrelated note, this site is a phenomenal resource. Any Exchange Googling is automatically appended with “practical365”.

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • How to Avoid ‘Scope Creep’ in Email Migration Projects
  • The Azure Ink Recognizer: How it works and integrates into SharePoint – Part 1
  • Using Powershell to apply Messaging Policies to Teams Users
  • Deciding whether to enable Priority Notifications in Microsoft Teams
  • Skype for Business Online is being retired – how should you prepare?
Practical 365

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...
  • Email
  • Facebook
  • Twitter
  • RSS

Copyright © 2019 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland

We are an Authorized DigiCert™ SSL Partner.