Avatar of Jeff Brubaker
Jeff Brubaker

asked on 

Exchange Hybrid - Possible send connector or SSL Problem

I have single, Exchange 2013 server running in Full Hybrid Mode.
There are no on-premise mailboxes

Today, mail stopped flowing and I realized the SSL Cert had expired. (Woops!)

I quickly renewed the SSL Certificate and mail started working again immediately.

However, our phone voicemail system to email is not working. Tried rebooting the voicemail system and still no luck.

I'm wondering if it has to do with the "outbound to office 365" send connector. The reason I am suspicious is when I go to delete the expired SSL Cert from Exchange ECP, I get an error message "
A special Rpc error occurs on server EXCHANGE: These certificates are tagged with following Send Connectors : Outbound to Office 365. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.

But, if the expired SSL Cert is still tied to that send connector, how is my other email flowing ok?
If I do a Get-SendConnector "outbound to office 365" | fl  It just returns the basic information, not the thumbprint so I can't tell if it's the expired cert or not.

Any suggestions?

ExchangeMicrosoft 365* Exchange Hybrid

Avatar of undefined
Last Comment
Jeff Brubaker
Avatar of Hayes Jupe
Hayes Jupe
Flag of Australia image

get-exchangecertificate | fl

you will be able to see which services have been allocated to which cert thumbprint.

You need to allocate the "new" certificate to the SMTP service, then restart your transport service.
Avatar of Jeff Brubaker
Jeff Brubaker


Hayes Jupe,
Yes, it seems like that is the problem
The old cert, which I'm unable to delete is still using IIS and SMTP

Avatar of Hayes Jupe
Hayes Jupe
Flag of Australia image

yep, thats not uncommon - focus on getting the right cert being used for TLS on your SMTP rather than deleting the old cert.

update the config using
enable-exchange certificate -thumbprint <thumbprint of the new cert> -services SMTP

then re-start your exchange transport service.
Avatar of Jeff Brubaker
Jeff Brubaker


I ran the command and it completed successfully but I don't think anything has changed. The expired cert is still using SMTP and IIS as the new one is also.

Here is a "fix" from another thread. Your thoughts?

First, delete the expired Cert from MMC - Certificates - Personal - Certificates

  1. Run $cert = Get-ExchangeCertificate -Thumbprint <newcertthumbprint>
  2. Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
    $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
  3. Update the send connector with the new values
    Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert
Avatar of Hayes Jupe
Hayes Jupe
Flag of Australia image

yep, that's a fair point, you will need to update the connectors with the new cert as well... sorry - that is correct and i missed it.

so yes, run that command against the connector that is used for your voicemail system (and any other connectors that may also use TLS)
Avatar of Ben County
Ben County
Flag of Australia image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Jeff Brubaker
Jeff Brubaker


Hi Ben County,
I checked and the IIS\Exchange Back End was NOT bound to the new Cert.

Still unable to get emails from our voicemail system. Regular emails are working fine.
Here is what I have done

1. Manually deleted the expired Cert from MMC 
2. Ran $cert = Get-ExchangeCertificate -Thumbprint <thumbprintofnewcert>
3. Ran $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
4. Ran Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert but got the message
"WARNING: The command completed successfully but no settings of 'Outbound to Office 365' have been modified"

5. Ran the Hybrid Configuration Wizard as per someone else's recommendation. The HCW completed successfully but changed the name of the Outbound to Office 365 connector to  "Outbound to Office 365 -  949ft714-fab3-460b-a944-468e489597f4" 

6. Checked the Exchange Back End bindings as you suggested and found it was not bound to the new Cert. Changed it and did a iisreset

Do I need to re-run the command Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert  again?
Avatar of Ben County
Ben County
Flag of Australia image

Hi Jeff,

I don't think you need to rerun the command to apply the certificate on the connector.

Sounds like you need to assign the new certificate to your voicemail system, not sure what products you are using, but if its utilising Exchange Unified Messaging you will need to assign the UM service to the new certificate if not already done.

Under the certificate services there should be a tick box for "Unified Messaging Call Router" which you need to tick for the certificate on each server.


Avatar of Jeff Brubaker
Jeff Brubaker


Thanks Ben!

It looks like I was barking up the wrong tree anyway. The voicemail system is rather old. When I updated the SSL Cert on my client's Exchange Server, it was no longer accepting emails from it.

The SMTP Setup for the Voicemail System only has a checkbox "Enable Encryption." It doesn't say what it is, but I would bet it's TLS 1.0

Works great now with no encryption.

Thanks for your expert replies.

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo