Cant set smtp tls certificate for send-connector

New Contributor

I have an Exchange in Hybrid Mode with O365.

After renewing the certificate (not self signed, its from sectigo) I cant assign it to SMTP, and therefore I cannot assign it to the "Outbound to O365" Connector.

I am running Exchange Server 2016 CU18


Steps to reproduce:


$Cert = Get-ExchangeCertificate -Thumbprint *example*
$tlscertname = "<i>$($Cert.Issuer)<s>$($Cert.Subject)"

<i>CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB<s>CN=*

Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname





Das angegebene Zertifikat ist nicht für das SMTP-Protokoll aktiviert. Nur Zertifikate, die für das SMTP-Protokoll aktiviert sind,
können für Sendeconnectors festgelegt werden. Um ein Zertifikat für SMTP zu aktivieren, verwenden Sie das Cmdlet
+ CategoryInfo : InvalidOperation: (Outbound to Office 365:ADObjectId) [Set-SendConnector], InvalidOperationException
+ FullyQualifiedErrorId : [Server=EXCHANGE2016,RequestId=5299e36d-0cfd-41b0-94a8-0ef459bd7034,TimeStamp=17.12.2020 14:10:50] [Fa
ilureCategory=Cmdlet-InvalidOperationException] 7B5AFD30,Microsoft.Exchange.Management.SystemConfigurationTasks.SetSendConnector
+ PSComputerName :



Alright, So I execute:


Enable-ExchangeCertificate -Thumbprint *example* -Services SMTP



This executes without any error or success message, but it does nothing.


The only cert with smtp role is:



AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,
CertificateDomains : {Federation}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Federation
NotAfter : 19.11.2023 08:02:45
NotBefore : 19.11.2018 08:02:45
PublicKeySize : 2048
RootCAType : None
SerialNumber : *example*
Services : SMTP, Federation
Status : Valid
Subject : CN=Federation
Thumbprint : *example*



Assing my cert to smtp with the ECP doesn't do anything either.


I have tried a wildcard cert * and a cert with exactly the hosts fqdn, both don't work.

I also updated from CU 17 to CU 18, but that didn't help.

6 Replies

@lug-ms you should run HCW version 17.x (newest) and let the agent do the job. Certificate replacement requires to re-run HCW and this should then work without any problem.

@Dominik Hoefling
The hcw does the same thing in powershell, and fails with the same error, see attachment

@lug-ms are there other certificates bound to the SMTP service? If you run Get-ExchangeCertificate you should see all thumbprints and services (S stands for SMTP).

@Dominik Hoefling 


Yes, the federation certificate is bound to SMTP, which probably automatically happened when removing the old certificate from the server.

You can see more details about the federation cert in my starting post ;)

@lug-ms I didn't understand it because you said the only certificate that has SMTP is the Federation certificate, but then you mentioned that enabling the smtp service on the new certificate has been successful. So this means there are two certificates with the SMTP service but the "real" one does not work for hybrid (error message), is this correct?


If yes, you can disable the SMTP service for the federation certificate and the new certificate, then just enable it for the new certificate again with the same cmdlet. To disable the SMTP service, you can run Enable-ExchangeCertificate -Services None -Thumbprint XXX

@Dominik Hoefling 


No I said enabling it for SMTP does NOT work.

I said the command executed withouth any return (which would be okay for a successful run), but it doesn't do anything. It's not enabling the cert for SMTP.