- Overwrite the existing default SMTP certificate?
Recently the certificate on an Exchange 2013 server was replaced and when the new certificate was applied, it was not configured as the default/internal transport certificate. This caused the following error when I attempted to remove the expired certificate:
A special Rpc error occurs on server XXXXXXX: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.This error is suggesting that we use New-ExchangeCertificate to create a new self-signed certificate. That is a perfectly valid technical solution. The only thing we've noticed is that customers tend to ignore all certificates except the trusted one that they've installed. Then the internal certificate expires and causes some problem with mail delivery. Specifically, we've seen delivery errors between Edge Transport servers and internal Exchange servers.
I want to set our new valid certificate which is bound to IIS and SMTP as the default SMTP certificate. To do this I needed to use the console because the web interface won't let me reapply the same certificate. Here is the process.
- Use Get-ExchangeCertificate to identify the thumbprint of the certificate you want to be default. This is a big long ugly number, do yourself a favor and copy it to clipboard instead of trying to type it.
- Use Enable-ExchangeCertificate -Thumbprint XXXXXXX -Services 'iis,smtp' to assign the services.
- Answer [Y] Yes when prompted to overwrite the default SMTP certificate.