Victor asks:

I assigned a new SSL cert to the SMTP service on my Exchange 2013 server and got the prompt about overwriting the old one. However, the old cert is still bound to the SMTP service and I can’t uncheck the box. Do I need to reboot the server or can I just restart the SMTP service to unbind it?

Certificates bound to SMTP are a little different than other services on an Exchange server. If you bind a certificate to IIS for example, it removes the binding for any previous certificate, and becomes the only certificate bound to that service. However with SMTP you can have multiple SSL certificates bound to the service.

Here’s an example:

[PS] C:\>Get-ExchangeCertificate | select thumbprint,services,notafter,subject,certificatedomains | where {$_.Services -
match "SMTP"} | fl


Thumbprint         : 21D75A8C5BA4003005DF16D5EF577DE4563114D1
Services           : IMAP, POP, IIS, SMTP
NotAfter           : 10/08/2015 10:00:00 PM
Subject            : CN=mail.exchangeserverpro.net, OU=IT Department, O=LockLAN Systems Pty Ltd, L=Hemmant, S=Qld, C=AU
CertificateDomains : {mail.exchangeserverpro.net, AutoDiscover.exchangeserverpro.net, exchangeserverpro.net,
                     smtp.exchangeserverpro.net, pop.exchangeserverpro.net, imap.exchangeserverpro.net}

Thumbprint         : E769A3DB29AA4EA612B2C27D78CE01EBDB1C7005
Services           : SMTP
NotAfter           : 11/06/2019 7:40:13 PM
Subject            : CN=EX2013SRV1
CertificateDomains : {EX2013SRV1, EX2013SRV1.exchangeserverpro.net}

Thumbprint         : 5C5E9124B0960BBFB570596AAE6902742D95361E
Services           : SMTP
NotAfter           : 27/05/2019 10:05:25 PM
Subject            : CN=EX2013SRV1
CertificateDomains : {EX2013SRV1, EX2013SRV1.exchangeserverpro.net}

As you can see I’ve got my SAN certificate bound to IMAP, POP, IIS, and SMTP. But then I’ve also got two additional certificates bound to SMTP. These are self-signed certificates created by Exchange setup.

Why do I have two? It’s possible I’ve reinstalled this server at some stage, or manually created one of them. Regardless, you can see that multiple certificates are bound to SMTP, which is the point I’m making.

Anyway, let’s say for some reason we want to remove one of those self-signed certificates, or at the very least unbind it from SMTP. To bind a certificate to a service we use Enable-ExchangeCertificate, however there is no corresponding Disable-ExchangeCertificate cmdlet.

As Victor points out, trying to do it via the Exchange Admin Center is impossible – the tick box is greyed out.

However we still have a PowerShell solution to the problem. If you look closely at the documentation for Enable-ExchangeCertificate you can see that the -Services parameter accepts a value of “None”.

So this command will set the certificate with a thumbprint of “5C5E9124B0960BBFB570596AAE6902742D95361E” to be bound to no services on the server.

[PS] C:\>Enable-ExchangeCertificate -Services None -Thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E

If you want to remove the certificate from the server entirely use Remove-ExchangeCertificate. However, don’t do this until you’re 100% sure you don’t need the certificate any more. I have seen customers who delete a certificate only to later realise that the server was still using that certificate for something.

[PS] C:\>Remove-ExchangeCertificate -Thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E

Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E from the computer's certificate store?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

If you’re interested in how Exchange handles selection of a certificate when multiple certificates are bound to the SMTP protocol, here are some articles that explain it:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Mike

    So it’s obviously been a while since this article was posted, but. . .has anyone been able to remove SMTP from a self-signed cert? The cert that’s bound to the Exchange back-end site in my environment also has SMTP enabled, and it’s showing up as an issue on a pen test. It’s clear that “-Services -None” is no longer an option, but I’m just not sure what is.

    On an unrelated note, this site is a phenomenal resource. Any Exchange Googling is automatically appended with “practical365”.

    1. Robin

      Should be no different for a self signed cert.

  2. Maxello Fonseca

    Paul Cunningham,
    I do not know if I’m in the correct article, however I’m trying to perform the removal of an Exchange Server 2010 service.
    A colleague attempting to install the Management Console eventually installed the server roles on their workstation. We are having problems in the deletion step of the database created at the time of uninstalling Exchange. When connecting to the Management Console of my workstation, I verify that the colleague’s machine is being recognized as a server.
    Would you have guidance regarding removal of the service?

    Maxello Fonseca

    Analyst Infrastructure

  3. Robert

    This deinitely does not work. When i try to run the command, the cmd completes successfully but nothing is changed. I dont want to just remove the certificate either in case its needed for something.

    1. Phiii

      same problem by me

  4. Paul

    We recently installed a new certificate as one we had was expiring. After changing all services over and waiting for the original certificate to expire, we received 3 alerts in the EAC (we have 3 servers) about an expired certificate. After running the Remove-ExchangeCertificate command on each server, it removed 2 alerts, but we still receive a warning on 1 of our servers. I checked the personal store and Get-ExchangeCertificate command, but see no reference of the certificate.

    The server in question also has an event (12023) referencing that it couldn’t load the old expired certificate from the personal store. We have performed restarts on each server since removing the certificate.

    Any ideas?
    Thanks in advance.

    1. David

      In our company, we have the same problem with a certificate associated with the SMTP service. Did you manage to solve it? If so, how did you do it?
      I’m in trouble, it’s a serious problem

      Thank you very much

  5. Lascelle Brown

    I tried to remove he service and was not able to with your method.
    My SMTP and IIS are bind to (Microsoft Exchange Server Auth Certificate)
    When I open outlook I get the error message “There is a problem with the proxy server’s certificate. The security certificate is not from a trusted certificate authority.
    Outlook is unable to connect to the proxy server mail.domain.com (Error Code 8).”
    Anyone have any ideas?
    Thank you

    1. Paul Cunningham

      You’ll need to look at the properties of the certificate, either in the Exchange console/shell or in the certificate manager snapin for the server. If your cert isn’t set up correctly for your client access namespaces then that is something you’ll need to address.

  6. Ricardo

    I am getting error ” The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop…” when trying to remove an expired certificate. We already have a new certificate since last year.

  7. robert

    6. Forgot to mention that you need to start the Exchange transport service again of course 🙂

  8. Robert

    Hi I had the same problem as many other, could not set the service to None (or could but nothing happened) and could not remove it so I did the following:
    1. Removed the IIS role back to the OLD certificate (it now has all active roles IIS/SMTP/IMAP/POP). Close the browser and start it again to be sure you are on the correct certificate.
    2. Remove the NEW certificate.
    3. Click “renew” on the OLD certificate (I probably did the wrong thing before and just added a New certificate). Do the Whole procedure With getting a certificate.
    4. Now I have an OLD certificate With IIS/SMTP/IMAP/POP role and a NEW certificate With IMAP/POP role, when I activate the IIS/SMTP role I get A question if I want to transfer the active SMTP role to the New Certificate, click yes.
    5. Now I stop the Exchange transport service and run the command to remove the OLD certificate and “FINALLY” its gone and birds are flying in the sky and I again feel the IT-GURU-SUPERPOWERS are pumping in my veins 🙂 Good Luck Folks!

  9. Wladinho

    Hi guys,

    I have same problem with SMTP service assigned to self-signed certificate.
    For all Outlook / Autodiscover users, everything is fine, but IMAP / SMTP clients getting wrong certificate from Exchange servers.
    Comodo certificate is assigned also to all needed services.
    Does anyone have a solution for that problem, because Enable-ExchangeCertificate -Service None, doesn’t work for me.

    Regards,

  10. Dan B. Lee

    I’m in the same boat as the last folks here. I’m showing two certificates actually have IIS enabled on them (Exchange 2013 CU 11 Updated). One is my old certificate, and no matter what I do I can’t uncheck the IIS (or any service for that matter). The other is my new certificate, which has the exact same services enabled.

    The old certificate expires in 4 days. Am I to assume that the Exchange Server will be smart enough to figure out that the new certificate with IIS, SMTP, POP, and IMAP enabled is the one it needs to look for? Or should I delete it now?

    This is a production server, so I’m obviously a little worried about just letting this ride into expiration. I’d much rather have the services only on the new cert and have my old cert without services tied to it, not deleted so I can go back to it if I need to.

    Any suggestions?

  11. Max

    Same problem here.
    Exchange 2013 CU 10.
    I’ve successful replaced the previous certificate with a new one, now both ECP and Get-ExchangeCertfificate cmdlet return both certificate bound to the services.
    By ECP I’m unable to unbind the old certificate to the services because the checkboxes are greyed-out.
    By using the Enable-ExchangeCertificate cmdlet (also passing the -Server switch) with “-Services” switch to “none” I receive no errors, but still seeing the bindings for the services to both old and new certificates.
    I would try to remove the old certificate (if this will be possible, I suppose I would receive some errors because it is still bound to some services) but in case I’ll be successful I would not find any issue, because actually all is running fine, except for the warning by accessing the ECP GUI on the top right of the page.

    Any suggestion?

    Thanks
    Max

  12. William Henderson

    Paul,

    I am investigating an issue I have after having to rebuild one of my Exchange 2013 servers. Some users are getting the following error when they send and receive:

    “Microsoft Exchange reported error (0x8004010F) : The operation failed. An object cannot be found.” This error does not seems to show for all users.

  13. Leo

    Lots of questions for this topic but no answers. Is it by design that in Exchange 2013 CU9 or later that certain certificate commands have no effect. I’m on CU13 trying to Install a new CAS server into the environment but users are getting errors in outlook about the the certificate not being valid. The self signed (server name) server is being displayed in the error. I am unable to removed the services from this cert from both the ECP or powershell. Grayed out in ECP and not effect in powershell. the command yields no errors. -services none

    1. Paul Cunningham

      If you’ve installed a new CAS into the environment you should be immediately setting the Autodiscover SCP to match the other CAS in the site, and exporting/importing the SSL certificate from an existing server to the new server to be used for IIS/Exchange services.

  14. Chris Parker

    This does not work. Exchange 2013 CU9. Commands run without error but old cert remains assigned to SMTP (and others.)

    I’m in a hybrid configuration with just one server but I hesitate to remove the certificate outright.

  15. Peter Henry

    Paul,

    I am trying to use an imported wildcard certificate on my Exchange 2013 server. This same cert installed fine on another Exchange 2013 server in the environment and shows up as “Valid” there. On this particular exchange server, however, it shows up as “Invalid”. The Exchange 2013 servers are identical. My thought is to simply delete the certificate on the one that is showing invalid (it is not assigned to any services), and then attempt to copy the working one from the other Exchange 2013 server. Is there any downside to removing an invalid wildcard certificate from an Exchange 2013 server if the same certificate is being used on other servers in the environment?

  16. Simon

    Thanks Paul

  17. Simon

    IIS service is assigned to both my SAN certificate and my server certificate on my test Exchange 2013 servers , is that normal ? If this isn’t how do I resolve issue. thanks

    1. Paul Cunningham

      Yeah that’s normal. 2013 and 2016 have two IIS websites, Default and Backend. When you manage the IIS cert via the Exchange tools you’re changing the cert for the Default (which is for the frontend services) website.

      If you look at the bindings for the two sites in IIS manager you’ll see which cert is used for each. It’s fine for the self-signed cert to be bound to the backend.

  18. Tyler watthanaphand

    I’ve run into some strange issue. using the “None” trick doesn’t seem to work. I’m currently stuck using a self signed certificate, it’s the only way TLS works.

    Deleting the self signed cert, even if there is a newly imported one, causes SMTP to not use TLS at all. Get-ExchangeCertificate even shows SMTP is assigned to it, and it refuses to use TLS.

  19. Kris

    I have a self signed certificate going to expire today on two of my Hub/CAS servers and I see the SMTP service is still assigned to it. I do have a SAN certificate that also has the SMTP service assigned to it. My question is if I let the certificate expire will this cause Exhange Hub transport issues or will I be okay because I have another valid cert with SMTP? Also does it hurt to just renew the self signed cert to be on the safe side or is it better to just remove and not use self signed cert? Any info you can provide woul be appreciated. Bit nervous as I don’t know what the behavior will be when cert expires. By the way Running Exchange 2010 SP3.

    1. Janine

      Hi Kris,

      I have the same situation – a self signed certificate with only the SMTP service assigned to it that is due to expire next week. I have a third party SAN certificate that also has the SMTP service assigned to it.
      What happened when your self signed certificate expired?
      Thanks

  20. artur

    I am also not able to “un-assign” the old certificate. Going to wait till the expiration date and delete it then I suppose. Running Exchange 2012 CU11.

  21. Jeff

    We have an issue where the local PKI certificates (For RDP etc…) are overriding the Exchange certificates. When we try to assign the proper cert it says the PKI one takes precedence. Is there any way to override this behavior?

    1. Will

      Did you ever find a solution to this issue? We ahve the same issue

  22. Marin

    What if I dont want to use certificates at all, can I remove the self signed certificates? Will this brake Exchange 2016?
    I have an environment that will never be in internet, so I dont really need certificates, I want to use http.

    So can I use Remove-ExchangeCertificate to remove the default certificates?

    1. Paul Cunningham

      Certificate use is required. You’ll break Exchange by trying to avoid using certificates.

  23. GotMale

    I resolved the issue myself, needed to add in the -server switch which then revealed the 2 SSL certs.

    As for removing services using the provided command. That did nothing. No error reported but no change in services assigned to the old cert that I wanted to remove. Perhaps the -verbose switch could reveal more.

    If any services or other actions are required post command they should be listed.

    I deleted the old cert via ECP. This removes the cert from the local certificate store. No services needed to be restarted.

  24. GotMale

    No issues with creating and assigning services to the new SSL cert via ECP. I’m now wanting to remove the old 3rd party SSL cert and decided that I should verify our environment via powershell

    Both the old and new 3rd party SSL certs DO NOT appear in get-exchangecertificate commands run on either of our CAS boxes. These certs DO appear within ECP.

    Any explanation as to why this is occurring?

  25. IT

    Yeah. This isn’t working for me at all. It basically does nothing when I do this. (Exchange 2013 CU8).

    I think this may have been something that worked early on, but, for obvious reasons, was fixed. I can’t imagine Enable-ExchangeCertificate would be best configured to override existing settings.

    Pretty lame that I can’t unassign from services prior to deleting. Seems like this is a basic feature that should be available to any admin working with SSL.

    But I suppose any less than optimal elements of Exchange administration are more incentive to go to Exchange Online.

  26. Stefano

    Pretty sure this is just not possible: https://technet.microsoft.com/en-us/library/aa997231(v=exchg.150).aspx

    “The Enable-ExchangeCertificate cmdlet is additive. When you specify a subset of services for which a certificate is enabled, the services that aren’t specified aren’t removed from the Services property. If you don’t want to use an existing enabled certificate for Exchange services, you must enable another certificate, and then remove the certificate you don’t want to use. “

  27. Jyrki

    Hi,

    how to reassigning? I have same problem with “none”.

  28. Andrew

    This seems to have no effect in my environment (2013 CU6)

    I have a certificate which is assigned to IMAP, POP, IIS and SMTP. When I try to enable the cert with parameter -Services None, it has no effect. I tried assigning the services to another certificate first, but the IMAP, POP and SMTP services remain on the original certificate and the command still has no effect. I also attempted the -Services None on a certificate that had only SMTP, and it again had no effect.

    Also, your example uses “$null” for the Services parameter, but it should be “None”

    1. Andrew

      correction, I’m running CU7

    2. Lou Yovin

      Same here. I see several places in TechNet where that (none) no longer works. You have to remove the other certs. Hope not.

    3. Martin Lebel

      Try reassigning the “current” certificate to the SMTP services until it ask you: “Overwrite the existing default SMTP certificate?” Then assign “none” to the revoked/expired one and finally remove the revoked/expired one. Did this the trick for me.

  29. Stanly Ipkiss

    Is this true also for the IMAP and POP service ? If I have three certificates assigned to the IMAP and POP service and two of them expire tomorrow, but the 3rd one is still valid – Exchange will be aware to use the 3rd certificate or I will have to re-apply the services to the 3rd certificate?

    Thank you in advance.

  30. Victor Solis

    Thanks for creating this post. What would happen if I left two SSL certs bound to the SMTP service and one expired and one remained valid. Would the Exchange server still continue to pass traffic via the valid one and just ignore the expired one?

    1. Paul Cunningham

      Exchange has some intelligence of its own for choosing the “correct” certificate to use for a given SMTP connection, however I would disable and remove any expired certificates.

      1. snns

        could you please give a little more details about “intelligence of its own for choosing the “correct” certificate to use for a given SMTP connection”?

        1. Ferenc Hevesi

          @snns, please read the relevant section of the following TechNet articles to understand how Exchange 2010 selects a certificate for an SMTP session. These were written for Exchange 2010, but I consider them valid for newer versions of Exchange (unless someone confirms the opposite):
          https://technet.microsoft.com/en-us/library/bb430790(v=exchg.141).aspx
          https://technet.microsoft.com/en-us/library/bb430748(v=exchg.141).aspx
          https://technet.microsoft.com/en-us/library/bb430773(v=exchg.141).aspx

        2. Glen Buktenica

          When one service is bound to two certificates, Exchange uses the last certificate that was bound. So normally this will be the non-expired certificate as it is newer.

Leave a Reply