This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 12%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hello,
if I change on-premises Exchange 2013 3rd party certificate and than re-run HCW to attach this new certificate in hybrid enviroment does HCW only change this certificate information or does it change the whole configuration.
Im asking this because I have on premises send connector to O 365 disabled.I dont know why,but does re-running HCW change this connector to enabled or does it change only new certificate information?
It should stay disabled.
Note you could just replace the cert, assign SMTP to it and manually update the connectors. Its not required to run the Wizard.
[PS] C:\>$cert = Get-ExchangeCertificate -Thumbprint DE67EC3C8D679AA35D17678FEC51907272B1BAE2
[PS] C:\>$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
[PS] C:\>Set-ReceiveConnector "EX2016SRV1\HybridRecConnector" -TlsCertificateName $tlscertificatename
Then do the same for the send connector
Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $tlscertificatename
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 50%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBF%3C/text%3E%3C/svg%3E)
In addition to the above, I ran one further step to update the hybrid configuration
Set-HybridConfiguration -TlsCertificateName $tlscertificatename
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @fsdg ,
For HCW, renew certificate does not need to re-run the HCW. If you planning to use the certificate for the SMTP service and select the new certificate, then I suggest you re-run the HCW.
After you renew the certificate, you could run the commands provide by Andy to set the certificate bound to the sender connector. Then you could send test email to test the mail flow.
According to check the sender connector in my Exchange hybrid environment. Then send connector to Office 365 is enabled by default. If you need to run HCW, it is recommended that you run the following command line to view the existing HCW settings.
Get-HybridConfiguration
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
If you planning to use the certificate for the SMTP service and select the new certificate, then I suggest you re-run the HCW.
Is it posible SMTP on-premise to o 365 hybrid without certificate?
Not possible with hybrid - . 3rd party cert required
https://learn.microsoft.com/en-us/exchange/certificate-requirements
Hi @fsdg ,
When configuring a hybrid deployment, we must use and configure certificates that have purchased from a trusted third-party CA.
For more information: Certificate requirements for hybrid deployments
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @fsdg ,
Do suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Note you could just replace the cert, assign SMTP to it and manually update the connectors. Its not required to run the Wizard.
Thank you for advice.
I thought to do only this without HCW.
That will work.
Honestly, I never run the Wizard unless I need to setup or change the OAuth config.
You never know if something will get changed when its not supposed to.
If the Wizard enables that send connector, go back and disable as soon as you can :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 93%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
If Cert Issuer and Subject is same then only import new certificate and remove old cerificate will work?
I would add, if the subject on the cert changes you should rerun the HCW otherwise it should be ok.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 41%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHT%3C/text%3E%3C/svg%3E)
@Andy David - MVP can you confirm this please?
I have the same situation where my new TLS cert has a new Subject name and Cert Issuer than the older one and so when I ran your commands, the connectors are seeing no changes have been made to the TLSCertificateName.
I can't remove the older TLS Cert from EAC as well due to Exchange still seeing its name being used by the Send/Receive connectors.
Will I be able to just remove the older cert from the server's certificate store itself without breaking any connector's mail flow?
Thanks.