Cannot remove expired SSL certificate in Exchange 2013 through powershell or EAC
When I try to remove an expired SSL certificate from my 2 Exchange 2013 servers (in a 2 node DAG), I get the following error: "A special RPC error occurs on server xxxxx: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate."
There are currently 5 certificates on each server:
1) Digicert SSL Cert with IMAP, POP, IIS, SMTP
2) Digicert SSL Cert with IMAP, POP, SMTP (expired)
3) Microsoft Exchange with SMTP
4) Microsoft Exchange Server Auth Certificate with SMTP
5) WMSVC with no services
How can I get rid of the expired Digicert SSL Certificate?
There are currently 5 certificates on each server:
1) Digicert SSL Cert with IMAP, POP, IIS, SMTP
2) Digicert SSL Cert with IMAP, POP, SMTP (expired)
3) Microsoft Exchange with SMTP
4) Microsoft Exchange Server Auth Certificate with SMTP
5) WMSVC with no services
How can I get rid of the expired Digicert SSL Certificate?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I thought the Microsoft Exchange certificate was supposed to be bound to the backend port 444. From Microsoft: "During the setup process a self-signed certificate called Microsoft Exchange is bound to the Exchange Backend Website on port 444. This is for communication between the Default Web Site and Exchange Back End web sites. When the certificate is removed, the Default Web Site will no longer be able to proxy connections to the Exchange Back End web site"
Well, the exchange should do it but sometimes it doesn't, like in your case.
I'm aware if you have a different certificate in front-end and backend you won't be able to connect. That's the reason why step 4 stand for.
And it doesn't matter if you assign the certificate again.
I'm aware if you have a different certificate in front-end and backend you won't be able to connect. That's the reason why step 4 stand for.
And it doesn't matter if you assign the certificate again.
ASKER
So, if I switch the port 444 backend binding to the active digicert certificate I should be able to removed the old certificate? Will this cause any downtime for mailflow?