This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 98%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
I've replaced the certificate used for SMTP/IIS on Exchange servers a number of times, but I always installed and activated the certificate, as in checked the service boxes, as part of a single process and never had an issue. Today, someone else (my boss) decided to add a new certificate 3 days before the old one expired but did not select it for SMTP or IIS. We have a hybrid on prem/O365 setup, and as soon as the new cert was installed on the server email from our scanners (scan to email) and internal web portal stopped flowing to O365 where all of our user mailboxes are hosted.
I had to replace the old cert to get mail flowing again, even though the old cert was still valid.
Is this normal? It's the first time I have come across a new cert that has not been set to be used as the SMTP/IIS cert so I have no previous experience to say if this is how it works.
Yes, from what I have seen, this is expected.
This still applies :
https://techcommunity.microsoft.com/t5/exchange-team-blog/how-transport-selects-certificates-for-tls/ba-p/593741
I always enable for SMTP when installing any cert that could potentially be used for SMTP ( and Choose NO when asked to overwrite)
You can verify which cert is being used by looking the SMTP protocol logs
Thank you, that is just what I needed.
I would suggest you assign IIS and SMTP services to this certificate first. Then run "IISReset" command in CMD, after that rerun HCW to update hybrid configuration. At last, replace certificate on your devices.
If your device could support multiple certificates and identify which certificate is in use, you could replace certificate before assign services.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Let me clarify. We had a certificate set for IIS and SMTP, it still had 3 days to go before it expired. A new certificate was installed but no services were assigned, so in theory it should not have had any effect on mail flow.
However, as soon as this certificate was installed, SMTP service stopped working, mail was being received but sitting in the retry queue. IIS was still available, I was able to bring up the web page to log into mail and ECP was available.
As soon as I enabled SMTP on the new certificate mail began flowing again.
So, my question was not how do I fix a problem as I had already resolved the mail flow issue, the question was is this expected behavior when a new certificate is installed but does not have services enabled?