This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 39%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
Hello,
We have installed a replacement certificate in Exchange 2019 and have assigned all of the services to the new certificate.
We just need a way to temporarily unbind the old certificate from the Exchange services so that we can test before we completely remove the existing certificate.
I cannot find a way to simply unbind those services like SMTP, etc from the old certificate. in EAC its all greyed out and I can't find CMDlet to do this in exchange management shell.
Can anyone tell me how I can just unbind IMAP, POP, SMTP from a certificate without deleting it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @ZCT ,
Can anyone tell me how I can just unbind IMAP, POP, SMTP from a certificate without deleting it?
Agree with Andy that it's not feasible to remove the existing services from a certificate.
Now that you've already assigned all of the services to the new certificate, theoratically the new certificate is being used for the services. To validate this, you can use the method as mentioned by Andy or running the command below to see if the output is showing the thumbprint of the new certificate:
Get-Transportservice | Select InternalTransportCertificateThumbprint
With this confirmed, you can proceed to remove the old certificate.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @ZCT ,
Just checking in to follow up with this thread. Please let us know if the provided suggestion is helpful or if you need any further assistance.
You can't without removing the cert
Some will tell you to run:
enable-exchangecertificate -Services $null
but that doesnt work.
What you can do is enable protocol logging and you should see the clients using the new cert.
For SMTP for example:
https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/configure-protocol-logging?view=exchserver-2019
Enable on the connectors and check the SMTP protocol logs, it will show the certificate used
