Thursday, March 12, 2015

Set a New Internal Transport Certificate

Normally, when we configure clients running Exchange 2013 with a valid certificate for web services, we also apply it to SMTP. This allows opportunistic TLS to be performed and secure email delivery. When you apply the certificate, it will ask:
  • Overwrite the existing default SMTP certificate?
We normally say yes and our valid/trusted certificate is configured as the "internal transport certificate". This is all good.

Recently the certificate on an Exchange 2013 server was replaced and when the new certificate was applied, it was not configured as the default/internal transport certificate. This caused the following error when I attempted to remove the expired certificate:
 A special Rpc error occurs on server XXXXXXX: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.
This error is suggesting that we use New-ExchangeCertificate to create a new self-signed certificate. That is a perfectly valid technical solution. The only thing we've noticed is that customers tend to ignore all certificates except the trusted one that they've installed. Then the internal certificate expires and causes some problem with mail delivery. Specifically, we've seen delivery errors between Edge Transport servers and internal Exchange servers.

I want to set our new valid certificate which is bound to IIS and SMTP as the default SMTP certificate. To do this I needed to use the console because the web interface won't let me reapply the same certificate. Here is the process.
  1. Use Get-ExchangeCertificate to identify the thumbprint of the certificate you want to be default. This is a big long ugly number, do yourself a favor and copy it to clipboard instead of trying to type it.
  2. Use Enable-ExchangeCertificate -Thumbprint XXXXXXX -Services 'iis,smtp' to assign the services.
  3. Answer [Y] Yes when prompted to overwrite the default SMTP certificate.
After changing the default SMTP certificate, I could delete the expired certificate without error in Exchange Admin Center.

2 comments:

  1. https://community.spiceworks.com/topic/580335-unable-to-remove-old-invalid-ssl-certificate-from-exchange-2013

    ReplyDelete
    Replies
    1. Brilliant, this solved my problem perfectly. Thank you! :)

      Delete