Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Use the Remove-ExchangeCertificate cmdlet to remove an existing certificate from the local certificate store. If the certificate is a Simple Mail Transfer Protocol (SMTP) Transport Layer Security (TLS) certificate that is also stored in the Active Directory directory service, the Active Directory instance will also be removed when you run this command.


There are many factors to consider when you configure certificates for TLS and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, see Certificate Use in Exchange Server 2007.


Remove-ExchangeCertificate -Thumbprint <String> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-WhatIf [<SwitchParameter>]]

Detailed Description

To run the Remove-ExchangeCertificate cmdlet, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

To run the Remove-ExchangeCertificate cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.


If you want to replace the internal transport certificate for the server by replacing it with another certificate with the same server fully qualified domain name (FQDN), you cannot remove the certificate that is being used. You must create the new certificate for the server FQDN first and then remove the old certificate.


Parameter Required Type Description




Use this parameter to specify the thumbprint of the certificate that you are removing. Each certificate contains a thumbprint, which is the digest of the certificate data.




The Confirm parameter causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm parameter.




To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command. The DomainController parameter is not supported on computers that run the Edge Transport server role. The Edge Transport server role writes only to the local Active Directory Application Mode (ADAM) instance.




The WhatIf parameter instructs the command to simulate the actions that it would take on the object. By using the WhatIf parameter, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf parameter.

Input Types

Return Types


Error Description



Exceptions Description



This example uses the Remove-ExchangeCertificate command to remove a certificate with the specified thumbprint.

Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e