Victor asks:
I assigned a new SSL cert to the SMTP service on my Exchange 2013 server and got the prompt about overwriting the old one. However, the old cert is still bound to the SMTP service and I can’t uncheck the box. Do I need to reboot the server or can I just restart the SMTP service to unbind it?
Certificates bound to SMTP are a little different than other services on an Exchange server. If you bind a certificate to IIS for example, it removes the binding for any previous certificate, and becomes the only certificate bound to that service. However with SMTP you can have multiple SSL certificates bound to the service.
Here’s an example:
[PS] C:\>Get-ExchangeCertificate | select thumbprint,services,notafter,subject,certificatedomains | where {$_.Services -
match "SMTP"} | fl
Thumbprint : 21D75A8C5BA4003005DF16D5EF577DE4563114D1
Services : IMAP, POP, IIS, SMTP
NotAfter : 10/08/2015 10:00:00 PM
Subject : CN=mail.exchangeserverpro.net, OU=IT Department, O=LockLAN Systems Pty Ltd, L=Hemmant, S=Qld, C=AU
CertificateDomains : {mail.exchangeserverpro.net, AutoDiscover.exchangeserverpro.net, exchangeserverpro.net,
smtp.exchangeserverpro.net, pop.exchangeserverpro.net, imap.exchangeserverpro.net}
Thumbprint : E769A3DB29AA4EA612B2C27D78CE01EBDB1C7005
Services : SMTP
NotAfter : 11/06/2019 7:40:13 PM
Subject : CN=EX2013SRV1
CertificateDomains : {EX2013SRV1, EX2013SRV1.exchangeserverpro.net}
Thumbprint : 5C5E9124B0960BBFB570596AAE6902742D95361E
Services : SMTP
NotAfter : 27/05/2019 10:05:25 PM
Subject : CN=EX2013SRV1
CertificateDomains : {EX2013SRV1, EX2013SRV1.exchangeserverpro.net}
As you can see I’ve got my SAN certificate bound to IMAP, POP, IIS, and SMTP. But then I’ve also got two additional certificates bound to SMTP. These are self-signed certificates created by Exchange setup.
Why do I have two? It’s possible I’ve reinstalled this server at some stage, or manually created one of them. Regardless, you can see that multiple certificates are bound to SMTP, which is the point I’m making.
Anyway, let’s say for some reason we want to remove one of those self-signed certificates, or at the very least unbind it from SMTP. To bind a certificate to a service we use Enable-ExchangeCertificate, however there is no corresponding Disable-ExchangeCertificate cmdlet.
As Victor points out, trying to do it via the Exchange Admin Center is impossible – the tick box is greyed out.
However we still have a PowerShell solution to the problem. If you look closely at the documentation for Enable-ExchangeCertificate you can see that the -Services parameter accepts a value of “None”.
So this command will set the certificate with a thumbprint of “5C5E9124B0960BBFB570596AAE6902742D95361E” to be bound to no services on the server.
[PS] C:\>Enable-ExchangeCertificate -Services $null -Thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E
If you want to remove the certificate from the server entirely use Remove-ExchangeCertificate. However, don’t do this until you’re 100% sure you don’t need the certificate any more. I have seen customers who delete a certificate only to later realise that the server was still using that certificate for something.
[PS] C:\>Remove-ExchangeCertificate -Thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E Confirm Are you sure you want to perform this action? Remove certificate with thumbprint 5C5E9124B0960BBFB570596AAE6902742D95361E from the computer's certificate store? [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
This article How to Remove an SSL Certificate from Exchange Server 2013 is © 2015 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
