Thursday, March 12, 2015

Set a New Internal Transport Certificate

Normally, when we configure clients running Exchange 2013 with a valid certificate for web services, we also apply it to SMTP. This allows opportunistic TLS to be performed and secure email delivery. When you apply the certificate, it will ask:
  • Overwrite the existing default SMTP certificate?
We normally say yes and our valid/trusted certificate is configured as the "internal transport certificate". This is all good.

Recently the certificate on an Exchange 2013 server was replaced and when the new certificate was applied, it was not configured as the default/internal transport certificate. This caused the following error when I attempted to remove the expired certificate:
 A special Rpc error occurs on server XXXXXXX: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.
This error is suggesting that we use New-ExchangeCertificate to create a new self-signed certificate. That is a perfectly valid technical solution. The only thing we've noticed is that customers tend to ignore all certificates except the trusted one that they've installed. Then the internal certificate expires and causes some problem with mail delivery. Specifically, we've seen delivery errors between Edge Transport servers and internal Exchange servers.

I want to set our new valid certificate which is bound to IIS and SMTP as the default SMTP certificate. To do this I needed to use the console because the web interface won't let me reapply the same certificate. Here is the process.
  1. Use Get-ExchangeCertificate to identify the thumbprint of the certificate you want to be default. This is a big long ugly number, do yourself a favor and copy it to clipboard instead of trying to type it.
  2. Use Enable-ExchangeCertificate -Thumbprint XXXXXXX -Services 'iis,smtp' to assign the services.
  3. Answer [Y] Yes when prompted to overwrite the default SMTP certificate.
After changing the default SMTP certificate, I could delete the expired certificate without error in Exchange Admin Center.
Posted by at

9 comments:

  1. GazJanuary 18, 2016 at 10:13 AM

    https://community.spiceworks.com/topic/580335-unable-to-remove-old-invalid-ssl-certificate-from-exchange-2013

    ReplyDelete
    Replies
    1. AnonymousApril 20, 2016 at 6:39 AM

      Brilliant, this solved my problem perfectly. Thank you! :)

      Delete
  2. AnonymousJuly 24, 2019 at 9:50 AM

    Yep, did the trick for me as well.

    ReplyDelete
  3. AnonymousMay 7, 2020 at 7:15 AM

    lovely, thanks!

    ReplyDelete
  4. AnonymousMay 8, 2020 at 3:42 PM

    Encountered other so-called fixes, but THIS is exactly what I was wanting to accomplish. Brilliant! Thank you.

    ReplyDelete
  5. AnonymousJune 2, 2020 at 8:39 AM

    Thanks for this, just what I needed after replacing SSL cert.

    ReplyDelete
  6. AnonymousJanuary 25, 2021 at 6:44 AM

    Worked for me! :)

    ReplyDelete
  7. AnonymousMay 28, 2021 at 4:19 AM

    Worked, thanks !

    ReplyDelete
  8. AnonymousJune 2, 2022 at 6:57 PM

    Worked great in Exchange 2019 environment too!

    ReplyDelete

Subscribe to: Post Comments (Atom)