Cannot remove expired SSL certificate in Exchange 2013 through powershell or EAC

When I try to remove an expired SSL certificate from my 2 Exchange 2013 servers (in a 2 node DAG), I get the following error: "A special RPC error occurs on server xxxxx: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate."

There are currently 5 certificates on each server:
1) Digicert SSL Cert with IMAP, POP, IIS, SMTP
2) Digicert SSL Cert with IMAP, POP, SMTP (expired)
3) Microsoft Exchange with SMTP
4) Microsoft Exchange Server Auth Certificate with SMTP
5) WMSVC with no services

How can I get rid of the expired Digicert SSL Certificate?
GDB IanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroEE Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
You can do this in 5 steps.

Open in new window

this will bring all the certificates you have and the associated services for each one of them.

2. Select the thumbprint that you want to be assigned IIS and SMTP.

Run this with the selected Thumbprint in XXXX
Get-ExchangeCertificate -thumbprint "XXXX" | Enable-ExchangeCertificate -Services IIS,SMTP

Open in new window

3. In IIS management, make sure in the Front end binding and backend are using the same SSL (so check the bindings from the 443 and 444 ports).

4. Once you have done this, reset IIS.
IISreset (From powershell or cmd)

5. Remove the old certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GDB IanAuthor Commented:
The digicert (active) certificate is already assigned to IMAP, POP, IIS and SMTP.    The expired digicert certificate is bound to  IMAP, POP and SMTP.  So, I think we are set through step 2.  In step 3, I found the backend 444 port is bound to the "Microsoft Exchange" certificate which is self signed and currently assigned SMTP and IIS.  

So, if I switch the port 444 backend binding to the active digicert certificate I should be able to removed the old certificate?  Will this cause any downtime for mailflow?
GDB IanAuthor Commented:
I thought the Microsoft Exchange certificate was supposed to be bound to the backend port 444.  From Microsoft:  "During the setup process a self-signed certificate called Microsoft Exchange is bound to the Exchange Backend Website on port 444. This is for communication between the Default Web Site and Exchange Back End web sites. When the certificate is removed, the Default Web Site will no longer be able to proxy connections to the Exchange Back End web site"
Jose Gabriel Ortega CastroEE Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
Well, the exchange should do it but sometimes it doesn't, like in your case.
I'm aware if you have a different certificate in front-end and backend you won't be able to connect. That's the reason why step 4 stand for.

And it doesn't matter if you assign the certificate again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.