question

dilannanayakkara-8008 avatar image
0 Votes"
dilannanayakkara-8008 asked LydiaZhou-MSFT answered

unable to delete old exchange SSL certificate

Hi All,

I have imported and installed a new ssl certificate in our Exchange server and then ran a HCM wizard and select a new certificate for the send connector. however when I tried to delete the previous certificate below error message has popped up. one thing is the previous certificate also vaild till 25/11/2020 and we have renewed early. but I think it won't be a problem with deleting a previous one since we already installed a new certificate. we have only one exchange server in our environment.

appreciate any one can help here to resolve this.

28410-image01.jpg

28386-image02.jpg

28329-image03.jpg

28387-image04.jpg

28388-image05.jpg

Thanks,
Dilan


office-exchange-server-administrationoffice-exchange-server-mailflowoffice-exchange-server-connectivityoffice-exchange-hybrid-itpro
image01.jpg (26.9 KiB)
image02.jpg (21.7 KiB)
image03.jpg (14.9 KiB)
image04.jpg (4.4 KiB)
image05.jpg (4.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid edited

Hi there, I have seen that many times!

The solution is to open the local certificate store on the Exchange server for the local computer.
Type at the RUN Menu:
certlm.msc

28504-image.png

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in


Find the OLD cert that you want to remove under the "Personal" container and delete it from there by right-clicking on it and choosing delete. Make sure you choose the old one ( verify by date and thumbprint.
After that , do an IIRESET to ensure its removed and you are good.




image.png (12.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi AndyDavid,

thank you very much for your reply.

How do I completely make sure it won't be impacting the mail flow. I have this concerns because of the error message basically saying that certificate is still binding to the send connector.

Thanks,
Dilan

0 Votes 0 ·
AndyDavid avatar image AndyDavid dilannanayakkara-8008 ·

Its a funky error. You assigned SMTP to the services to that cert and ran the HCW right?

In that case you can remove the old. The Subject and Issuer are probably the same as the new cert right? That's what confuses the GUI and throws that error.

The easy way to see what cert is being used to look at the SMTP protocol logs.
So for that send connector:
Enable logging if its not already:

https://docs.microsoft.com/en-us/exchange/mail-flow/connectors/configure-protocol-logging?view=exchserver-2019#use-the-eac-to-enable-or-disable-protocol-logging-on-a-connector

Then look in the logs at %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpSend and see what cert its using. It will show the cert thumbprint in the logs
Do a search for the new thumbprint in the logs and you should see it listed for these connection




0 Votes 0 ·
LydiaZhou-MSFT avatar image
0 Votes"
LydiaZhou-MSFT answered

@dilannanayakkara-8008

Agree with AndyDavid. Since you have assigned the new certificate to POP, IMAP, IIS, SMTP services, and if you also have re-run HCW, the mail flow should work well with the new certificate. You can remove the old cert from Personal store, then try to delete the old certificate again.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.