Hi

We have a Exchange 2013 Std single server environment. We have an external godaddy certificate already assigned to IIS & smtp services. However the server is failing a PCI scan for the reason that a selfsigned certificate is also assigned to the smtp service and this certificate is being returned in favour of the real certificate. In the Exchange web console the services for the self signed certificate are greyed out and cannot be unticked. What is the correct way for removing these services. The self signed certificates that have these services bound are:

Microsoft Exchange

Microsoft Exchange Server Auth Certificate.

I'm assuming that these certificates need to be retained for other aspects of exchange 2013 to work.

Thanks

Hi Roger,

If you are okay to use a self-signed certificate, Generate a new one and assign the services to it. Services will be automatically removed from the GoDaddy one.

Yes there are some Self-Signed certificates used by the exchange backend to communicate internally, hence don't remove them. They are automatically created when you install exchange.

Create a digital certificate request

https://technet.microsoft.com/en-us/library/bb125165(v=exchg.150).aspx

Follow the certificate assignment part from this one:

https://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2013.htm

Satyajit

I want to keep the real godaddy certificate and remove the services for smtp from the selfsigned certificate. From what i gather looking at the forums the only way of doing this is to export the selfsigned certificate, then remove the selfsigned certificate and then re-import it and not assign it to the smtp service - does anybody know if this is the correct procedure ?

Roger

Hi roger, 

Thank you for your question. 

We could use the following command to check if get the self-sign certificate: 

Get-ExchangeCertificate 

If we could get Exchange self-sign certificate, we could use the following command to disable SMTP service on self-sign certificate: 

Disable-ExchangeCertificate Thumbprint xxxxxx Service SMTP 

Then we could wait AD replication, then to check if the issue persist. 

If there are any questions regarding this issue, please be free to let me know. 

Best Regard, 

Jim

Hi Roger,

As per my understanding even if the certificates are shown to be assigned to some services doesn't necessarily mean they are used for those services live\currently.

When you import a new certificate and assign services to it, you would get a prompt.(provided you have old cert already in-place)

Asking to Confirm overwriting existing certificates assigned to services. as shown here.

You can validate this by opening OWA and check the certificate presented to you.

The point is you don't need to remove the self-signed certificate which exchange generated for you.

Basically the Assigned Services will come into play when you are actually using the certificate.

For instance the IIS->Default Web Site and IIS->Exchang Back End has separate binding certificates for SSL. When you view from EAC it just shows you services assigned IIS,SMTP. But what it doesn't tell you is that its been used in two different places or its been overwritten by a newer one already.

As explained in this article Checkboxes Greyed Out When Managing Services for an Exchange 2013 SSL Certificate:

Exchange 2013 will not allow you to disable/unassign an SSL certificate from a service that requires SSL. Instead, you should enable another SSL certificate to that service, which will automatically disable the existing one for you (for that specific service, not necessarily all services).

NOTE:- If you want to remove old Godaddy certificate that no longer in use, run the below cmdlet.

Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e

Similar issue:

Remove Services assigned to Exchange Certificate:

https://social.technet.microsoft.com/forums/exchange/en-US/15e79a3e-023e-456c-a021-1d8a24bc3b82/remove-services-assigned-to-exchange-certificate

Hi

Would this just disable the certificate for use with the smtp service - all other functions would remain ?

Also i don't see a 'disable-exchangecertificate' powershell comand in my exchange 2013 ?

• Edited by roger3769464 19 hours 51 minutes ago

The self-signed certificate IS being used for smtp (tested) and i want to stop using this self signed certificate for Smtp and start using the real godaddy one. I'm looking for the correct way to do this. Does anybody have an idea of how to do this ?

Hi Roger,

Please let me know, if my earlier post made anysense, I'll try to explain more if you need so.

Use the below cmdlet to find available powershell comands in your exchange 2013

Get-Command *-ExchangeCertificate

CommandType     Name
-----------     ----
Function        Enable-ExchangeCertificate
Function        Export-ExchangeCertificate
Function        Get-ExchangeCertificate
Function        Import-ExchangeCertificate
Function        New-ExchangeCertificate
Function        Remove-ExchangeCertificate

Refernces:

Exchange certificate cmdlets:

https://technet.microsoft.com/en-us/library/dd351246(v=exchg.150).aspx

Ok, so i basically followed the route i'd taken before on another exchange server. for interest if anybody is in the same position what i did was go into iis, assign the real certifiacte to the exchnage website, then remove / delete the exchnage selfsigned cert (after a export - just in case). Run an iisreset and the rela cert was now answering calls on the smtp service. Why do you have to do this - because if i didn't the exchnage powershell and admin web portal stop working. Why MS do it this way is beyond me, however it seems to work. It doesn't seem the correct way though (why can we not just remove the smtp service from that cert - would be easier.....)

Roger

Hi Roger,

Using IIS to directly assign works, but isn't the right way to do that. You should use EAC or EMS for Exchange related certificates.

Please let me know, how did you generate the certificate request for the certificate to begin with.