Dec 17 2020 06:17 AM - edited Dec 17 2020 06:18 AM
I have an Exchange in Hybrid Mode with O365.
After renewing the certificate (not self signed, its from sectigo) I cant assign it to SMTP, and therefore I cannot assign it to the "Outbound to O365" Connector.
I am running Exchange Server 2016 CU18
Steps to reproduce:
$Cert = Get-ExchangeCertificate -Thumbprint *example*
$tlscertname = "<i>$($Cert.Issuer)<s>$($Cert.Subject)"
$tlscertname
<i>CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB<s>CN=*.example.org
Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname
Output:
Das angegebene Zertifikat ist nicht für das SMTP-Protokoll aktiviert. Nur Zertifikate, die für das SMTP-Protokoll aktiviert sind,
können für Sendeconnectors festgelegt werden. Um ein Zertifikat für SMTP zu aktivieren, verwenden Sie das Cmdlet
"Enable-ExchangeCertificate".
+ CategoryInfo : InvalidOperation: (Outbound to Office 365:ADObjectId) [Set-SendConnector], InvalidOperationException
+ FullyQualifiedErrorId : [Server=EXCHANGE2016,RequestId=5299e36d-0cfd-41b0-94a8-0ef459bd7034,TimeStamp=17.12.2020 14:10:50] [Fa
ilureCategory=Cmdlet-InvalidOperationException] 7B5AFD30,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector
+ PSComputerName : exchange2016.int.example.org
Alright, So I execute:
Enable-ExchangeCertificate -Thumbprint *example* -Services SMTP
This executes without any error or success message, but it does nothing.
The only cert with smtp role is:
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Federation}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Federation
NotAfter : 19.11.2023 08:02:45
NotBefore : 19.11.2018 08:02:45
PublicKeySize : 2048
RootCAType : None
SerialNumber : *example*
Services : SMTP, Federation
Status : Valid
Subject : CN=Federation
Thumbprint : *example*
Assing my cert to smtp with the ECP doesn't do anything either.
I have tried a wildcard cert *.example.org and a cert with exactly the hosts fqdn exchange2016.example.org, both don't work.
I also updated from CU 17 to CU 18, but that didn't help.
Dec 17 2020 10:50 AM
@lug-ms you should run HCW version 17.x (newest) and let the agent do the job. Certificate replacement requires to re-run HCW and this should then work without any problem.
Dec 17 2020 10:56 AM
Dec 17 2020 11:00 AM
@lug-ms are there other certificates bound to the SMTP service? If you run Get-ExchangeCertificate you should see all thumbprints and services (S stands for SMTP).
Dec 17 2020 11:02 AM
Yes, the federation certificate is bound to SMTP, which probably automatically happened when removing the old certificate from the server.
You can see more details about the federation cert in my starting post ;)
Dec 17 2020 11:07 AM
@lug-ms I didn't understand it because you said the only certificate that has SMTP is the Federation certificate, but then you mentioned that enabling the smtp service on the new certificate has been successful. So this means there are two certificates with the SMTP service but the "real" one does not work for hybrid (error message), is this correct?
If yes, you can disable the SMTP service for the federation certificate and the new certificate, then just enable it for the new certificate again with the same cmdlet. To disable the SMTP service, you can run Enable-ExchangeCertificate -Services None -Thumbprint XXX
Dec 17 2020 12:37 PM - edited Dec 17 2020 12:37 PM
No I said enabling it for SMTP does NOT work.
I said the command executed withouth any return (which would be okay for a successful run), but it doesn't do anything. It's not enabling the cert for SMTP.
Dec 22 2022 06:18 AM - edited Jan 08 2023 11:32 PM
Summary:
Export your certificate including private key as .pfx and then re-import it either using Exchange Management Shell or ECP (not: MMC!).
Approved solution method:
a) [PS] $bincert = Export-ExchangeCertificate -BinaryEncoded -Thumbprint <Certificate Thumbprint> -Password (Get-Credential).password
b) [PS] [System.IO.File]::WriteAllBytes('C:\users\user\desktop\wildcard23.pfx', $bincert.FileData)
c) Delete the certificate from your computer using MMC
d) [PS] Import-ExchangeCertificate -Server <servername> -FileData ([System.IO.File]::ReadAllBytes('\\localhost\c$\users\user\desktop\wildcard23.pfx')) -Password (Get-Credential).password
Dec 22 2022 06:53 AM
Hello, it's Ahmed and I will try to help
It looks like you are trying to assign a TLS certificate to a send connector in your Exchange Server 2016, but are encountering an error message that says the specified certificate is not enabled for the SMTP protocol.
To enable a certificate for the SMTP protocol, you can use the Enable-ExchangeCertificate cmdlet as you mentioned. However, it appears that the cmdlet is not having the desired effect in your case.
One possible reason for this could be that the certificate you are trying to use is not a valid SMTP certificate. To be used for the SMTP protocol, a certificate must meet certain requirements, such as being issued by a trusted certificate authority (CA) and being associated with the domain that you want to use it for.
It's also possible that the certificate has already been enabled for the SMTP protocol, in which case you will not see any success message when running the Enable-ExchangeCertificate cmdlet.
One way to verify that the certificate is enabled for the SMTP protocol is to check the Services property of the certificate. You can do this by running the following command:
Get-ExchangeCertificate -Thumbprint *example* | Select-Object Services
This should display a list of the services that the certificate is enabled for. If SMTP is included in this list, then the certificate is already enabled for the SMTP protocol, and you should be able to use it for your send connector.
If the certificate is not enabled for the SMTP protocol, you can try enabling it again using the Enable-ExchangeCertificate cmdlet, as shown in your example. Make sure to include the -Services SMTP parameter to specify that you want to enable the certificate for the SMTP protocol.
If you continue to have issues after trying these steps, it may be helpful to check the event logs on your Exchange Server for any error messages or other clues that might help to diagnose the problem. You can also try contacting Microsoft support or consulting the Exchange Server documentation for further assistance.
Please let me know the result :)
Dec 29 2022 07:16 AM
Hello Ahmed,
I have the same issue as @lug-ms
I have two Exchange Server 2016 (CU23) in Hybrid Mode with O365. After renewing the certificate I cant assign it to the "Outbound to O365" Connector or any other Send-Connector. I got the same error:
I try to enable the certificate (thumbprint 7AEE6646B5F788B61A2101A928B141C59A1EFC08):
You see, the certificate is not activate for SMTP and trying to assign it to the Outbound-Connector throws the same error.
Another view to the certificates of the server:
Only the Federation-certificate is activated for SMTP.
But when I try to activate another certificate for SMTP, I get this warning:
Is this a problem of the german version of the exchange-server?
How can I activate then new certificate to a Send-Connector?
Nov 20 2023 05:00 AM
My problem was that I had installed two certificates with the same subject and the same issuer. The old (possibly expired) certificate must be deleted from Exchange at first.