Exchange 2019 Certificate Error

Question

Hello guys,

I'm opening a ticket because i plan to migrate my users on Exchange 2019, currently, i have 2 Exchange 2013 servers. As soon as i installed the exchange Server 2019, I changed all the virtual directories and i also runned the command to make sure the users doesn't connect on the new server. But now every users who uses Microsoft Outlook from the environment have a pop up that says that the certificate is not valid, and its normal because I can't apply the services SMTP and IIS on my wildcard certificate.

Indeed, when i enable the services SMTP and IIS on my new certificate, it doesn't apply. I tried to enable from the ECP, it says "Are you sure you want to replace the existing certificate", when i say yes, it doesn't change anything, the smtp service is still unchecked.

I also tried to stop IIS and restart IIS, restart the server but it doesn't changed anything, and I also tried to enable the services directly with the powershell command with the correct thumbprint of the wildcard certificate as it is said on the event viewer :

"Enable-ExchangeCertificate -Server "EX01-2019" -Thumbprint A6BC992FDD... -Services SMTP,IMAP,IIS -Force"

But it still don't work, when i check the certificate, only the service IIS is active. I had to uninstall completely the exchange server, because users were complaining about the pop up.

Have anyone faced this problem before?

Thank you very much

Answer 1

Hi @Daniel,

Welcome to Microsoft Q&A, and thank you very much for reaching out.

Please note that Microsoft Q&A is a peer‑to‑peer forum, not Microsoft Support. I don’t have access to your environment and my testing is limited, so I can only assist based on available documentation and resources. That said, I’ll do my best to help.

For the migration itself, I recommend following Microsoft’s guidance for moving from Exchange Server 2013 to Exchange Server 2019. This ensures that namespaces, certificates, and coexistence are configured according to Microsoft’s best practices.

Regarding the SMTP behavior you’re seeing, I wasn’t able to find any documentation that mentions this specific scenario. However, the pop-up message and the Event Viewer entries indicate an import or permission‑related issue. Exchange certificates must be imported using the correct cmdlets so the appropriate permissions, such as those required for the Network Service account used by transport services are applied.

I suggest checking the Exchange 2013 wildcard certificate thumbprint using Get‑ExchangeCertificate, exporting it as a PFX using Export‑ExchangeCertificate, and then importing it into Exchange 2019 following this Microsoft’s documentation. After that, run Enable‑ExchangeCertificate again.

When you import that PFX into Exchange 2019 using the appropriate Exchange cmdlets, Exchange applies the required permissions automatically. When you run Enable‑ExchangeCertificate, Exchange 2019 assigns that certificate to the relevant services so SMTP, IIS, and other Exchange components can use it properly.

Finally, you may also want to post this thread on the Microsoft Tech Community. It’s an excellent place for in‑depth technical discussions and insights from people with hands‑on experience. They’re best positioned to provide guidance and valuable insights on this topic.

I hope this helps.

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Thanks for your answer Kha-n, i already followed the microsoft documentation to export and import the exchange certificate, but it didn't changes anything, but as you said, I think I will try to post my thread on this website https://techcommunity.microsoft.com/