Home

New SSL Certificate for SMTP Not Working

%3CLINGO-SUB%20id%3D%22lingo-sub-875907%22%20slang%3D%22en-US%22%3ENew%20SSL%20Certificate%20for%20SMTP%20Not%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-875907%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20working%20Exchange%202016%20on%20premise.%20We%20have%20an%20SSL%20certificate%20which%20expires%20soon%20so%20I%20want%20to%20replace%20it.%20I%20purchased%20a%20new%20certificate%20and%20installed%20in%20on%20the%20server%20using%20mmc.%20When%20I%20go%20to%20Exchange%20admin%20center%20I%20can%20see%20it%20under%20Servers%20-%26gt%3B%20Certificates.%3C%2FP%3E%3CP%3EI%20enable%20the%20certificate%20using%20the%20Exchange%20admin%20center%20or%20PowerShell%3A%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22typ%22%3EEnable%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22typ%22%3EExchangeCertificate%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pun%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22typ%22%3EThumbprint%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pun%22%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22typ%22%3EThumbprint%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22kwd%22%3Enew%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3E%20certificate%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E%26gt%3B%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pun%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22typ%22%3EService%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3E%20POP%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3EIMAP%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3EIIS%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3ESMTP%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3EBoth%20of%20these%20methods%20work%20fine%20for%20IIS%20and%20when%20I%20open%20the%20OWA%20the%20new%20certificate%20is%20shown%20correctly.%3C%2FP%3E%3CP%3EHowever%2C%20when%20I%20remove%20the%20old%20certificate%20(either%20using%20the%20Exchange%20admin%20center%2C%20Remove-ExchangeCertificate%20or%20mmc)%2C%20SMTP%20stops%20working%20immediately.%20If%20I%20run%20a%20test%20using%20a%20.net%20application%2C%20it%20fails%20with%20the%20error%3A%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22typ%22%3EServer%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3E%20does%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22kwd%22%3Enot%3C%2FSPAN%3E%3CSPAN%20class%3D%22pln%22%3E%20support%20secure%20connections%3C%2FSPAN%3E%3CSPAN%20class%3D%22pun%22%3E.%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3EIf%20I%20install%20the%20old%20certificate%20again%20using%20mmc%2C%20everything%20works%20fine%20immediately%20again.%3C%2FP%3E%3CP%3EMy%20questions%20is%20how%20can%20I%20make%20the%20new%20certificate%20be%20the%20only%20one%20used%20and%20remove%20the%20dependency%20on%20the%20old%20one%20which%20will%20expire%20soon%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-875907%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Uraster
Occasional Visitor

I have a working Exchange 2016 on premise. We have an SSL certificate which expires soon so I want to replace it. I purchased a new certificate and installed in on the server using mmc. When I go to Exchange admin center I can see it under Servers -> Certificates.

I enable the certificate using the Exchange admin center or PowerShell:

Enable-ExchangeCertificate -Thumbprint <Thumbprint new certificate> -Service POP,IMAP,IIS,SMTP

Both of these methods work fine for IIS and when I open the OWA the new certificate is shown correctly.

However, when I remove the old certificate (either using the Exchange admin center, Remove-ExchangeCertificate or mmc), SMTP stops working immediately. If I run a test using a .net application, it fails with the error:

Server does not support secure connections.

If I install the old certificate again using mmc, everything works fine immediately again.

My questions is how can I make the new certificate be the only one used and remove the dependency on the old one which will expire soon?

 

Edit: Found the solution from STUBB0 from https://community.spiceworks.com/topic/2205435-msexchangefrontendtransport-event-id-12014

Related Conversations