I have an Exchange in Hybrid Mode with O365.

After renewing the certificate (not self signed, its from sectigo) I cant assign it to SMTP, and therefore I cannot assign it to the \"Outbound to O365\" Connector.

I am running Exchange Server 2016 CU18

Steps to reproduce:

$Cert = Get-ExchangeCertificate -Thumbprint *example*\n$tlscertname = \"<i>$($Cert.Issuer)<s>$($Cert.Subject)\"\n\n$tlscertname\n<i>CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB<s>CN=*.example.org\n\nSet-SendConnector -Identity \"Outbound to Office 365\" -TLSCertificateName $tlscertname

Output: 

Das angegebene Zertifikat ist nicht für das SMTP-Protokoll aktiviert. Nur Zertifikate, die für das SMTP-Protokoll aktiviert sind,\nkönnen für Sendeconnectors festgelegt werden. Um ein Zertifikat für SMTP zu aktivieren, verwenden Sie das Cmdlet\n\"Enable-ExchangeCertificate\".\n+ CategoryInfo : InvalidOperation: (Outbound to Office 365:ADObjectId) [Set-SendConnector], InvalidOperationException\n+ FullyQualifiedErrorId : [Server=EXCHANGE2016,RequestId=5299e36d-0cfd-41b0-94a8-0ef459bd7034,TimeStamp=17.12.2020 14:10:50] [Fa\nilureCategory=Cmdlet-InvalidOperationException] 7B5AFD30,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector\n+ PSComputerName : exchange2016.int.example.org

Alright, So I execute:

Enable-ExchangeCertificate -Thumbprint *example* -Services SMTP

This executes without any error or success message, but it does nothing.

The only cert with smtp role is:

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,\nSystem.Security.AccessControl.CryptoKeyAccessRule}\nCertificateDomains : {Federation}\nHasPrivateKey : True\nIsSelfSigned : True\nIssuer : CN=Federation\nNotAfter : 19.11.2023 08:02:45\nNotBefore : 19.11.2018 08:02:45\nPublicKeySize : 2048\nRootCAType : None\nSerialNumber : *example*\nServices : SMTP, Federation\nStatus : Valid\nSubject : CN=Federation\nThumbprint : *example*

Assing my cert to smtp with the ECP doesn't do anything either.

I have tried a wildcard cert *.example.org and a cert with exactly the hosts fqdn exchange2016.example.org, both don't work.

I also updated from CU 17 to CU 18, but that didn't help.

I have an Exchange in Hybrid Mode with O365.

After renewing the certificate (not self signed, its from sectigo) I cant assign it to SMTP, and therefore I cannot assign it to the \"Outbound to O365\" Connector.

I am running Exchange Server 2016 CU18

Steps to reproduce:

Output: 

Alright, So I execute:

This executes without any error or success message, but it does nothing.

The only cert with smtp role is:

Assing my cert to smtp with the ECP doesn't do anything either.

I have tried a wildcard cert *.example.org and a cert with exactly the hosts fqdn exchange2016.example.org, both don't work.

I also updated from CU 17 to CU 18, but that didn't help.

lug-ms 

Hello, it's Ahmed and I will try to help

It looks like you are trying to assign a TLS certificate to a send connector in your Exchange Server 2016, but are encountering an error message that says the specified certificate is not enabled for the SMTP protocol.

To enable a certificate for the SMTP protocol, you can use the Enable-ExchangeCertificate cmdlet as you mentioned. However, it appears that the cmdlet is not having the desired effect in your case.

One possible reason for this could be that the certificate you are trying to use is not a valid SMTP certificate. To be used for the SMTP protocol, a certificate must meet certain requirements, such as being issued by a trusted certificate authority (CA) and being associated with the domain that you want to use it for.

It's also possible that the certificate has already been enabled for the SMTP protocol, in which case you will not see any success message when running the Enable-ExchangeCertificate cmdlet.

One way to verify that the certificate is enabled for the SMTP protocol is to check the Services property of the certificate. You can do this by running the following command:

Get-ExchangeCertificate -Thumbprint *example* | Select-Object Services

This should display a list of the services that the certificate is enabled for. If SMTP is included in this list, then the certificate is already enabled for the SMTP protocol, and you should be able to use it for your send connector.

If the certificate is not enabled for the SMTP protocol, you can try enabling it again using the Enable-ExchangeCertificate cmdlet, as shown in your example. Make sure to include the -Services SMTP parameter to specify that you want to enable the certificate for the SMTP protocol.

If you continue to have issues after trying these steps, it may be helpful to check the event logs on your Exchange Server for any error messages or other clues that might help to diagnose the problem. You can also try contacting Microsoft support or consulting the Exchange Server documentation for further assistance.

Please let me know the result 🙂

Hello Ahmed, 

I have the same issue as lug-ms 

I have two Exchange Server 2016 (CU23) in Hybrid Mode with O365. After renewing the certificate I cant assign it  to the \"Outbound to O365\" Connector or any other Send-Connector. I got the same error:

I try to enable the certificate (thumbprint 7AEE6646B5F788B61A2101A928B141C59A1EFC08):

You see, the certificate is not activate for SMTP and trying to assign it to the Outbound-Connector throws the same error. 

Another view to the certificates of the server:

Only the Federation-certificate is activated for SMTP. 

But when I try to activate another certificate for SMTP, I get this warning:

Is this a problem of the german version of the exchange-server?

How can I activate then new certificate to a Send-Connector?

ic-rohn 

My problem was that I had installed two certificates with the same subject and the same issuer. The old (possibly expired) certificate must be deleted from Exchange at first.

Summary:

Export your certificate including private key as .pfx and then re-import it either using Exchange Management Shell or ECP (not: MMC!).

Approved solution method:

a) [PS] $bincert = Export-ExchangeCertificate -BinaryEncoded -Thumbprint <Certificate Thumbprint> -Password (Get-Credential).password
b) [PS] [System.IO.File]::WriteAllBytes('C:\\users\\user\\desktop\\wildcard23.pfx', $bincert.FileData)
c) Delete the certificate from your computer using MMC

d) [PS] Import-ExchangeCertificate -Server <servername> -FileData ([System.IO.File]::ReadAllBytes('\\\\localhost\\c$\\users\\user\\desktop\\wildcard23.pfx')) -Password (Get-Credential).password

lug-ms you should run HCW version 17.x (newest) and let the agent do the job. Certificate replacement requires to re-run HCW and this should then work without any problem.

lug-ms are there other certificates bound to the SMTP service? If you run Get-ExchangeCertificate you should see all thumbprints and services (S stands for SMTP).