Replace Receive Connector TLS Certificate

ComputerHabit 826 Reputation points
2022-04-13T14:08:10.67+00:00

I have Event ID 12018 MSExchangeTransport

The STARTTLS certificate will expire soon: subject: server.domain.com, thumbprint: E007AB795B4E288FB9E650E5C013C19D10198DA8, hours remaining: 1990. Run the New-ExchangeCertificate cmdlet to create a new certificate.

I am working to update the certificate. The certificate is specific to one connector as far as I can tell.

This connector is only for internal sending so we are using an internal CA for the cert. I've created a new certificate and it is installed on the server and available in Get-ExchangeCertificate.

Where I am hitting a roadblock is I want to add the cert but only where it is needed.

Using this command seems wrong, it prompts to replace other certs.

Enable-ExchangeCertificate -Thumbprint 0CB5EA71DF9CAD5FE68B20E6BC518790EECB73C4 -Services SMTP

So if this isn't it then maybe it is just updating the connector.

When I go to the list of connectors I can find the connector but it doesn't show the certificate is used.

RequireTLS : False
TlsCertificateName :
AuthMechanism : Tls, ExternalAuthoritative

If the connector is not setup for TLS and the Certificate is not specifically named how do I replace the expiring certificate? Why is it working right now?

I think in the past I updated this and did it wrong saying Yes to Enable-ExchangeCertificate for SMTP. Since the cert had DNS entries that are different than our regular domains mail started to fail. I had to go back and reenable the right cert using the same command to get it working again.

I'm trying to avoid this mistake again.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,426 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 143.6K Reputation points MVP
    2022-04-13T14:24:53.047+00:00

    Yea you wont see anything for "TlsCertificateName " unless you are using this for a secure TLS connection a partner or another forest. It will work fine leaving that blank.
    When prompted to overwrite I always say NO
    Then once its installed and enabled for SMTP,Exchange will just use it since its newer for those connections using the subjects on the cert.

    You can verify that its using the new cert with protocol logging
    Enable it on the connector and check the logs searching for the new thumbprint of the cert
    https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/configure-protocol-logging?view=exchserver-2019

    Once you see its using the new cert, you can remove the old one ( assuming its not used for IIS , POP IMAP)

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. ComputerHabit 826 Reputation points
    2022-04-13T14:35:15.817+00:00

    Oh so I would just run the command and hit No.

    Enable-ExchangeCertificate -Thumbprint 0CB5EA71DF9CAD5FE68B20E6BC518790EECB73C4 -Services SMTP
    

    That worked.

    I feel like I've done this before and it was counter intuitive. I'm not being specific so it feels wrong.

    0 comments No comments