Exchange 2016 SMTP certificate

fsdg 906 Reputation points


how can I find default(primary) certificate which is bind to SMTP on Exchange 2016.
I have 3 cerificates binded to SMTP.One self signed ,one 3rd party and one internal CA cert. I want to unbind one cerificate from smtp services and delete because it is expired(internal CA certificate)
Is this right procedure to remove smtp certificate:
How can I find which name should certificate have to support SMTP?
Is it receive connector-client frontend connector-fqdn ,name that certificate should have or is it on send connector?
What is the purpose of smtp certificate?

Thank you

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,028 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 134.1K Reputation points MVP

    This chart still applies on how Exchange picks a certificate for transport:

    Essentially a 3rd party cert is preferred over a self-signed cert and it must be valid and not expired.

    You can verify which certs are set to USE SMTP with Powershell or EAC.
    Powershell prob the easiest.

    Get-ExchangeCertificate -server <server> | select thumbprint,services,notafter,subject,certificatedomains | where {$_.Services -match "SMTP"} | fl  

    This will show you the certs and their associated subject domains.

    If the FQDN set on either a receive connector or send connector match those subject domains on the cert, then Exchange will use that cert - preferring a valid 3rd party certificate as mentioned above.

    You can verify which cert is being used by looking through the protocol logs for a connector.
    Enable logging and then open the logs with a text editor to view:

    For your first question:
    Yes, you can use that article.

    Hope this helps!

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Yuki Sun-MSFT 37,376 Reputation points

    Hi @fsdg

    1. To find the currently default SMTP certificate, you can run the powershell script in the blog below, just need to specifying a target exchange server:
      Field notes: What is the current default SMTP certificate for your Exchange Server environment?
      Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
      I've tried it in my test lab and it worked:
    2. Yes, you can refer to that article to remove the unwanted certificate.
    3. As regards to the names need to be included in the certificate, according to the article as follows, "The certificate must include the DNS name that's used by the SMTP clients or servers to connect to the Receive connector. To simplify certificate management, consider including all DNS names for which you have to support TLS traffic in a single certificate."See:
      Certificate requirements for Exchange services
    4. The SMTP certificate is used for the mutual TLS connections between the Exchange Servers within an Exchange Organization and is also presented to external mail systems when mutual TLS is required.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments