Exchange 2016 SSL Cert binding

Question

Exchange 2016 SSL Cert binding

PaulH 41

Recently added a public SSL Cert to an Exchange 2016 server however the server doesn't want to let go of the self assigned cert for SMTP.

Via EMC I've assigned the new cert to SMTP and IIS. Now there are checks in the boxes however the boxes are grayed out. Not a big deal since that's what I want.
However, also in EMC the default self assigned cert has grayed out check boxes for SMTP, IMAP, POP, and IIS. I don't care about IMAP and POP but I want this removed from SMTP and IIS but I can't uncheck them in EMC.

In EMS I list the certs to get their thumbprints with "Get-ExchangeCertificate" then run the following command:

Enable-ExchangeCertificate -Services None -Thumbprint <SSL Cert Thumbprint>

It appears to execute properly, there are no errors however when I refresh or even reload EMC the self assigned cert is still bound to those services.

When I use the Digicert tool to see what's being presented IIS shows the public cert but SMTP is still using the self assigned cert.

Do I have to completely remove (delete) the self assigned cert to get this working properly or is there something else that I am missing?

Kael Yao 37,746 Reputation points Moderator

2022-02-11T02:26:19.48+00:00
Hi @PaulH

It is not possible remove the service from a certificate.
To change the certificate of the service, you may need to assign another certificate to the service.

Though you may see a certificate has IIS/SMTP service, it doesn't necessarily mean currently IIS/SMTP is using this certificate.
As you mentioned in the post, from the result of Digicert tool, you can see IIS is using the public cert.

The self-signed certificate, however, is usually bound to IIS Exchange Back End port 444 and SMTP service.

IIS service:
You may check it in IIS>Exchange Back End>Edit Bindings>https port 444>SSL certificate

SMTP service:
First run this command to get the thumbprint of the current SMTP certificate:

Get-TransportService | fl InternalTransportCertificateThumbprint

Then compare the thumbprint with the result of this command:

Get-ExchangeCertificate | fl friendlyname,thumb*

If the certificate is used by the service, you may need to renew it.
PaulH 41 Reputation points

2022-02-11T14:58:49.26+00:00

This is a relatively new install of Exchange 2016 so all the certs are valid. The public cert has one more year before it needs to be renewed.

When I run your commands this is what I get:

[PS] C:\Windows\system32>Get-TransportService | fl InternalTransportCertificateThumbprint
Creating a new session for implicit remoting of "Get-TransportService" command...

InternalTransportCertificateThumbprint : CertThumbprint 1

InternalTransportCertificateThumbprint : CertThumbprint 1

InternalTransportCertificateThumbprint : CertThumbprint 1

[PS] C:\Windows\system32>Get-ExchangeCertificate | fl friendlyname,thumb*

FriendlyName : Microsoft Exchange Server Auth Certificate
Thumbprint : CertThumbprint 2

FriendlyName : Microsoft Exchange
Thumbprint : CertThumbprint 3

FriendlyName : WMSVC-SHA2
Thumbprint : CertThumbprint 4

FriendlyName : CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
Thumbprint : CertThumbprint 1

On the Ex2010 servers when I hit them with that Digicert tool SMTP returns the public cert. NOT the self assigned cert which is valid (had to be renewed a year or so ago).

Do I just delete the self assigned cert?
Kael Yao 37,746 Reputation points Moderator

2022-02-17T09:28:04.63+00:00

Hi,

As Andy mentioned, the self-signed certificate would still be used by SMTP service.
So better not delete it.
Kael Yao 37,746 Reputation points Moderator

2022-02-22T09:07:37.85+00:00

Hi @PaulH

I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.

2 answers

Your answer

Kael Yao 37,746 Reputation points Moderator

2022-02-11T02:26:19.48+00:00

Hi @PaulH

It is not possible remove the service from a certificate.
To change the certificate of the service, you may need to assign another certificate to the service.

Though you may see a certificate has IIS/SMTP service, it doesn't necessarily mean currently IIS/SMTP is using this certificate.
As you mentioned in the post, from the result of Digicert tool, you can see IIS is using the public cert.

The self-signed certificate, however, is usually bound to IIS Exchange Back End port 444 and SMTP service.

IIS service:
You may check it in IIS>Exchange Back End>Edit Bindings>https port 444>SSL certificate

SMTP service:
First run this command to get the thumbprint of the current SMTP certificate:

Get-TransportService | fl InternalTransportCertificateThumbprint

Then compare the thumbprint with the result of this command:

Get-ExchangeCertificate | fl friendlyname,thumb*

If the certificate is used by the service, you may need to renew it.
PaulH 41 Reputation points

2022-02-11T14:58:49.26+00:00

This is a relatively new install of Exchange 2016 so all the certs are valid. The public cert has one more year before it needs to be renewed.

When I run your commands this is what I get:

[PS] C:\Windows\system32>Get-TransportService | fl InternalTransportCertificateThumbprint
Creating a new session for implicit remoting of "Get-TransportService" command...

InternalTransportCertificateThumbprint : CertThumbprint 1

InternalTransportCertificateThumbprint : CertThumbprint 1

InternalTransportCertificateThumbprint : CertThumbprint 1

[PS] C:\Windows\system32>Get-ExchangeCertificate | fl friendlyname,thumb*

FriendlyName : Microsoft Exchange Server Auth Certificate
Thumbprint : CertThumbprint 2

FriendlyName : Microsoft Exchange
Thumbprint : CertThumbprint 3

FriendlyName : WMSVC-SHA2
Thumbprint : CertThumbprint 4

FriendlyName : CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US
Thumbprint : CertThumbprint 1

On the Ex2010 servers when I hit them with that Digicert tool SMTP returns the public cert. NOT the self assigned cert which is valid (had to be renewed a year or so ago).

Do I just delete the self assigned cert?
Kael Yao 37,746 Reputation points Moderator

2022-02-17T09:28:04.63+00:00

Hi,

As Andy mentioned, the self-signed certificate would still be used by SMTP service.
So better not delete it.
Kael Yao 37,746 Reputation points Moderator

2022-02-22T09:07:37.85+00:00

Hi @PaulH

I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.

Answer 1

Andy David - MVP 157.4K MVP Volunteer Moderator

Yea, thats normal. The Backend "Exchange Server" certificate ( I think thats the one you are referring to), is bound to the backed IIS site so you dont want to remove and its ok if its set for SMTP as well. If things are working as expected, then you should be good to go!

That command , well, it does nothing really :) Enable-ExchangeCertificate -Services None -Thumbprint <SSL Cert Thumbprint>

More from my blog post:
https://ehloergosum.com/2020/01/25/renewing-that-pesky-microsoft-exchange-certificate/

PaulH 41 Reputation points

2022-02-11T15:26:17.957+00:00

Thanks. Maybe I'm missing something here but the IIS side of things responds with the public cert. It's the SMTP side that isn't. And as I understand it for the migration to Exchange Online I need a public cert on the SMTP side as well to make things work right.
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator

2022-02-11T18:49:09.007+00:00

A Subject name on the 3rd party cert used for hybrid needs to match the FQDN set on the send connector for hybris. Is that the case?

Do not delete that self-signed built in Exchange cert :)
PaulH 41 Reputation points

2022-02-11T19:01:35.12+00:00

Does that mean that a wildcard cert cannot be used with Exchange 2016?
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator

2022-02-11T19:12:49.267+00:00

Yes its supported:
https://learn.microsoft.com/en-us/Exchange/architecture/client-access/certificates?redirectedfrom=MSDN&view=exchserver-2019#best-practices-for-exchange-certificates

The match can be made on a wildcard subject name.

How are you determining that its not working for SMTP?
PaulH 41 Reputation points

2022-02-11T20:28:53.483+00:00

SMTP is working but when the Digicert tool queries port 25 for SSL the default self assigned cert is what the server responds with.

Answer 2

So when you enter the host name in the checker, it connects to the receive connector and then Exchange looks for a cert that matches the FQDN, thats why you are seeing this.
Old doc, but still applies:
https://learn.microsoft.com/en-us/previous-versions/office/exchange-server-2007/bb430748(v=exchg.80)

And, thats ok! Opportunistic TLS isnt looking to trust the cert, its only to see if you have a cert.

With hybrid SMTP inbound connections, when you run the wizard, you will ask what cert to use ( choose the 3rd party one) and the wizard will bind that to the right connector with the Tls Subject and Issuer

Share via

Exchange 2016 SSL Cert binding

2 answers

Your answer