This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 48%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello,
I've installed a brand new exchange 2016 server and my company is running on it straight and clean from a month or so, but last week a user asked me why the SMPT certificate gives an error. Looking at the error, the certificate that the user get is the built-in SMTP certificate of the installation and not the one from the public CA.
I've reassigned the SMTP service via EAC and on ECP, nothing works.
The question is... there is some way to unassign SMTP service to built-in certficate?
Many Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Davide Zampatori ,
How is the issue now? If it has been resolved, please click “Accept as answer” to mark helpful reply as an answer to close the thread. Your action would be helpful to other users who encounter the same issue and read this thread.
You can't unless you remove the cert. Do not remove the built-in cert however. The Exchange transport will pick the certificate that "fits" the best, based on the if its a third party certificate, the expiration date and if a subject name on the certificate matches what is set for the FQDN on the connector used.
Having said all that, I dont quite understand your scenario. What exactly is this user doing when the error is surfaced and the built-in SMTP cert is being used?
In Mail flow → Send Connectors → Scope → FQDN there is the same name as public certificate
Hello,
When you install Microsoft Exchange Server , it creates a self-signed certificate with a validity period of 5 years. This certificate is assigned as the initial default SMTP certificate. This certificate is used for the mutual TLS connections between the Microsoft Exchange Servers within an Exchange Organization. This certificate is also presented to external mail systems when mutual TLS is required.
Normally, these certificates won't impact the normal working of SMTP functionality. But, if for any reason, if you need to un assign the SMTP service, please follow the steps
Please mark as "Accept the answer" if the answer helps you. Your suggestion will help others also !
Regards,
Manu
The cmdlet doesn't exist on Exchange 2016 environment
Hi,
Did this user do anything before this issue occurred?
Based on my knowledge, after creating Exchange, three self-signed certificates will be automatically generated, among which Microsoft Exchange self-signed certificate to encrypt network traffic between Exchange servers and services.
For more information:Certificates in Exchange
Once we enable a service for the certificate, we cannot disable it. We could only re-import a new certificate, assign the started service, and then delete the old certificate. Considering that deleting a self-signed certificate may cause other effects, it is recommended that you run the following command line to export the certificate after confirming that the service has been enabled on the new certificate. Then please run the IISreset in CMD started as administrator and see if the issue is solved.
Export-ExchangeCertificate -Thumbprint <> -Server <> -FileName "<>"
For more information:export-exchangecertificate
Hi @Davide Zampatori ,
I'm still not understanding the scenario when this issue happens. Can you break it down for me and describe the exact steps when it occurs and the end-user is doing? Client, process etc...
Users should never see the cert set on the send connector. They might see a cert set on a receive connector if the client they are using is sending via SMTP ( POP/IMAP an App using Exchange etc..)
"but last week a user asked me why the SMPT certificate gives an error."
Hi,
I agree with Andy.
Did you try to assign the SMTP service to new certificate and export the Microsoft Exchange self-sign certificate.
Could you share the specific error information with us? Please note that hide your private information.