Share via

Wrong SMTP certificate on Exchange Server 2016

Davide Zampatori 1 Reputation point
2020-07-27T13:40:59.35+00:00

Hello,

I've installed a brand new exchange 2016 server and my company is running on it straight and clean from a month or so, but last week a user asked me why the SMPT certificate gives an error. Looking at the error, the certificate that the user get is the built-in SMTP certificate of the installation and not the one from the public CA.

I've reassigned the SMTP service via EAC and on ECP, nothing works.

The question is... there is some way to unassign SMTP service to built-in certficate?

Many Thanks

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 160.2K Reputation points MVP Volunteer Moderator
    2020-07-27T20:28:32.4+00:00

    You can't unless you remove the cert. Do not remove the built-in cert however. The Exchange transport will pick the certificate that "fits" the best, based on the if its a third party certificate, the expiration date and if a subject name on the certificate matches what is set for the FQDN on the connector used.

    Having said all that, I dont quite understand your scenario. What exactly is this user doing when the error is surfaced and the built-in SMTP cert is being used?

    1 person found this answer helpful.
  2. Lucas Liu-MSFT 6,196 Reputation points
    2020-07-30T06:40:13.01+00:00

    Hi,
    I agree with Andy.
    Did you try to assign the SMTP service to new certificate and export the Microsoft Exchange self-sign certificate.
    Could you share the specific error information with us? Please note that hide your private information.

    0 comments
  3. Andy David - MVP 160.2K Reputation points MVP Volunteer Moderator
    2020-07-28T11:24:02.04+00:00

    Hi @Davide Zampatori ,
    I'm still not understanding the scenario when this issue happens. Can you break it down for me and describe the exact steps when it occurs and the end-user is doing? Client, process etc...
    Users should never see the cert set on the send connector. They might see a cert set on a receive connector if the client they are using is sending via SMTP ( POP/IMAP an App using Exchange etc..)

    "but last week a user asked me why the SMPT certificate gives an error."

    0 comments
  4. Lucas Liu-MSFT 6,196 Reputation points
    2020-07-28T06:15:13.777+00:00

    Hi,
    Did this user do anything before this issue occurred?
    Based on my knowledge, after creating Exchange, three self-signed certificates will be automatically generated, among which Microsoft Exchange self-signed certificate to encrypt network traffic between Exchange servers and services.
    For more information:Certificates in Exchange

    Once we enable a service for the certificate, we cannot disable it. We could only re-import a new certificate, assign the started service, and then delete the old certificate. Considering that deleting a self-signed certificate may cause other effects, it is recommended that you run the following command line to export the certificate after confirming that the service has been enabled on the new certificate. Then please run the IISreset in CMD started as administrator and see if the issue is solved. 

    Export-ExchangeCertificate -Thumbprint <> -Server <> -FileName "<>"

    For more information:export-exchangecertificate

    0 comments
  5. Manu Philip 20,651 Reputation points MVP Volunteer Moderator
    2020-07-27T19:46:35.427+00:00

    Hello,

    When you install Microsoft Exchange Server , it creates a self-signed certificate with a validity period of 5 years. This certificate is assigned as the initial default SMTP certificate. This certificate is used for the mutual TLS connections between the Microsoft Exchange Servers within an Exchange Organization. This certificate is also presented to external mail systems when mutual TLS is required.
    Normally, these certificates won't impact the normal working of SMTP functionality. But, if for any reason, if you need to un assign the SMTP service, please follow the steps

    1. Run Get-ExchangeCertificate and find the thumbprint of the interested certificates
    2. Run Disable-ExchangeCertificate –Thumbprint xxxxxx –Service SMTP Substitute the thumbprint from the first step

    Please mark as "Accept the answer" if the answer helps you. Your suggestion will help others also !

    Regards,
    Manu

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.