Using Exchange 2013 CU4.

We have one Digicert certificate for SMTP, IIS and IMAP that expires in a couple of days. We have already installed the new Digicert certificate for the same Services and it did prompt us to overwrite the existing SMTP certificate during installation. We have not restarted the server or any transport services.

We have done some research but have read different methods of removal of old certificate (EAC versus Shell)

What are the proper steps to remove the expiring certificate, including service restarts, etc.?

Thank you!

Hello,

Removing the expired Exchange certificate is an easy task when you do it from PowerShell. Follow the steps

1. Identify the certificate to be removed: Run the following PowerShell cmdlet and note the 'Thumbprint' of the certificate

Get-ExchangeCertificate

If you find difficulties in getting the exact thumbprint on the above cmdlet, type Get-ExchangeCertificate |fl

2. Remove the certificate. Substitute the exact thumbprint on the below cmdlet. When prompting for confirmation, press Y to proceed

Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e

Thank you.

Is there any reason not to use the EAC or is it just not possible to do the removal there?

Should we restart Transport services before removing the old (to activate the new?) or after removal?

Removing from EAC is also fine ! You may select either of the options (EAC/EMS). As you mentioned in the first post, the certificate is already over written. The only thing pending is restart the IIS service after replacing with new certificate. No need to restart any service as a requirement for removing the old certifi

First - Exchange 2013 CU4 (aka SP1) is very old. You should update your server as soon as possible. You are over 18 months out of date.

For the built in certificate, I always do the same thing:

new-exchangecertificate

no further prompts of switches. That will prompt you to overwrite the default SMTP certificate.

Your digicert certificate is not suitable for use as the default SMTP certificate because it cannot contain the server's real name. Therefore you need to continue to use an internally generated certificate for that purpose.

Then remove the old one using remove-exchangecertifcate

Simon.

We do plan to update the server this week..thanks.

Since beginning to use this Exchange Server 12 months ago, we have successfully used a Digicert certificate for SMTP (for 1 year) so I do not know what you mean about having to use a built-in certificate?

Can you please clarify?

Here is our certificate listing -the one expiring 8/30/2017 is our new one:

If you run get-exchangecertificate you will probably find that you have two certificates with the SMTP service enabled. One will be your trusted certificate, the other one will be an internal certificate. That will most likely match the certificate that is listed with the name "Microsoft Exchange".

However it appears from your list that the certificate doesn't expire until 2019, so you don't need to worry about it.

Simon.

Hi,

I have noticed you installed the new third party certificate and assigned related services.

We can use Powershell or EAC to remove the expired certificate.

You can refer to these below links to get more detailed information:

https://technet.microsoft.com/en-us/library/jj984582(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/aa997569(v=exchg.150).aspx

Regards,

David 

• Edited by David Wang_Microsoft contingent staff 4 hours 49 minutes ago

Hi,

I have noticed you installed the new third party certificate and assigned related services.

We can use Powershell or EAC to remove the expired certificate.

You can refer to these below links to get more detailed information:

https://technet.microsoft.com/en-us/library/jj984582(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/aa997569(v=exchg.150).aspx

Regards,

David 

• Edited by David Wang_Microsoft contingent staff Tuesday, August 18, 2015 2:34 AM