EXCHANGE   Exchange – Cannot remove exchange certificate



Some days ago I tried to cleanup old certificates from my Exchange servers, but I received the following error:

Exchange - Cannot remove exchange certificate

[PS] C:\> Remove-ExchangeCertificate -Thumbprint D09EDD6D5F18C175254AB97046AAAAAAAAAAAAA

Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint DD09EDD6D5F18C175254AB97046AAAAAAAAAAAAA from the computer's certificate store?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y
<ROJO>A special Rpc error occurs on server EXCHANGE01: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.
+ CategoryInfo          : InvalidArgument: (:) [Remove-ExchangeCertificate], InvalidOperationException
+ FullyQualifiedErrorId : [Server=EXCHANGE01,RequestId=487b16ef-f2f6-4e0f-a870-0c4b98f7c8d7,TimeStamp=7/5/2018 7:45:01 AM] [F
ailureCategory=Cmdlet-InvalidOperationException] DCA528C3,Microsoft.Exchange.Management.SystemConfigurationTasks.RemoveExch  angeCertificate
+ PSComputerName        : exchange01.mydomain.com
</ROJO>

As the screenshot shows, both certificates have the SMTP service assigned.

C:\>Get-ExchangeCertificate | fl

Exchange - Cannot remove exchange certificateBut only one of them is set as the default SMTP certificate.
Reassign the services of the new certificate again:

[PS] C:\> Enable-ExchangeCertificate -Thumbprint F075EB910C9330A4140762692A5AAAAAAAAAAAAA -Services IMAP,POP,IIS,SMTP

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'DD09EDD6D5F18C175254AB97046AAAAAAAAAAAAA'
(expires 10/22/2018 9:20:28 AM)
Replace it with certificate: 'F075EB910C9330A4140762692A5AAAAAAAAAAAAA'
(expires 10/22/2018 1:07:50 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

The command output confirms that the default SMTP certificate was NOT assigned to the new certificate. After replacing it the error message when trying to remove the old one no longer appears and the problem is fixed:

[PS] C:\> Remove-ExchangeCertificate -Thumbprint DD09EDD6D5F18C175254AB97046AAAAAAAAAAAAA

Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint DD09EDD6D5F18C175254AB97046AAAAAAAAAAAAA from the computer's certificate store?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y
[PS] C:\>

Leave a Reply

Your email address will not be published. Required fields are marked *