• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

SuperTekBoy

Practical Help for Exchange & Office 365

  • Exchange
    • News
    • Tutorials
    • Solve a Problem
  • Office 365
    • News
    • Tutorials
    • Solve a Problem
  • Outlook
    • Tutorials
    • Solve a Problem
  • Books
  • Podcasts
  • Quick Links…
    • Generate or Renew SSL Certs for Exchange
    • Connect PowerShell to Exchange Online
    • Connect PowerShell to Office 365
    • Extend Schema for Exchange
    • Exchange Schema & Build Numbers
  • More…
    • Kemp Load Balancers
    • Other tech…
    • Videos
    • About SuperTekBoy
    • Contact Us

Assign Services to a Certificate for Exchange 2016 and Exchange 2019

July 6, 2023 By Gareth Gudger 1 Comment

Share
Tweet
Share

In previous articles, we generated and completed a certificate request. Keep in mind that despite the request being completed, it is not yet live. We must still assign services to that certificate.

In this article, we explore the process of assigning services to a third-party certificate for Exchange 2016 CU23 and greater and Exchange 2019 CU12 and greater. Unlike the previous articles, where this process was only available in PowerShell, assigning services is still available in the Exchange Admin Center. In this article, we will cover both methods of assigning services to a certificate.

Let’s get started!

Note: When you assign services to a certificate, it will impact current connections to Exchange. For example, assigning IIS to a certificate can cause Outlook clients to reconnect. You may wish to perform this action during a maintenance window or after hours.

Assign Services to a Certificate with Exchange Admin Center

Log in to the Exchange Admin Center (EAC). Select the Servers tab and Certificates sub-tab.

Exchange 2019 Certificates

Select your certificate and click the Edit (Edit button) button.

Exchange 2019 Certificates Selected

Select the Services tab. Pick your desired services. In our example below, we picked IIS and SMTP. Click Save. If you selected the SMTP checkbox, you will be asked if you want to replace your default SMTP certificate. Select Yes.

Exchange 2019 Certificates Services Assigned

This may take a minute or so to process. Once complete, you will see the certificate has been assigned to the services you picked. In our example, IIS and SMTP are now assigned to the certificate.

Assign Services to a Certificate with PowerShell

To assign services using PowerShell, we will need to capture the thumbprint of our new certificate. To do this, we will need to first run the Get-ExchangeCertficate command.

 C:\> Get-ExchangeCertificate | Format-Table Subject, Thumbprint

Subject                        Thumbprint
-------                        ----------
CN=mail.exchangeservergeek.com B26C3C9B30A2A7371767275043816466CB921738
CN=EX19-01                     C232F4D642F74B9DC7E4ED33D4AB56E68C10CA76
CN=Microsoft Exchange Serve... 411A27BA64FD140523E4D1CF088589C228CA9C5E
CN=WMSvc-SHA2-EX19-01          D894B092E2ABE925E7104A0C9DFF6C448182CA30

From the example above, we can see the thumbprint for mail.exchangeservergeek.com is B26C3C9B30A2A7371767275043816466CB921738. Now that we have our thumbprint, we can use the Enable-ExchangeCertificate command.

 C:\> Enable-ExchangeCertificate -Server EX19-01 -Thumbprint B26C3C9B30A2A7371767275043816466CB921738 -Services IIS,SMTP

In this command:

  • Server specifies which server you want the action performed against. If you omit this parameter, the action is performed against the server where PowerShell is connected.
  • Thumbprint specifies the certificate to configure via its thumbprint
  • Services define which components you want to use the certificate with (e.g. IIS, SMTP, POP, IMAP, etc.)

If you specified SMTP as a service to add to the new certificate, you will be prompted on whether to overwrite the existing default SMTP certificate. Enter Y and press Enter.

Overwrite the existing default SMTP certificate?
Current certificate: '5FA62F11B524678090B752F48E207DEC3A0DFF46'
Replace it with certificate: 'B26C3C9B30A2A7371767275043816466CB921738'
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is Y): Y

To verify the services have been assigned, run the Get-ExchangeCertificate command.

 C:\> Get-ExchangeCertificate | Format-Table Subject, Services

Subject                                                   Services
-------                                                   --------
CN=mail.exchangeservergeek.com                           IIS, SMTP
CN=EX19-01                                               IIS, SMTP
CN=Microsoft Exchange Server Auth Certificate                 SMTP
CN=WMSvc-SHA2-EX19-01                                         None

The services column indicates what services are currently assigned to the certificate. In the example above, IIS and SMTP have been assigned to the mail.exchangeservergeek.com certificate. Other possibilities include POP, IMAP, and Federation. For Exchange 2016, Unified Messaging is an additional option (no longer supported in Exchange 2019).

Checking your work

Now that we have our new certificate installed, we need to test it to make sure it is working properly.

The easiest way to check is to enter your URL into a web browser. In our case, we enter https://mail.exchangeservergeek.com/ecp. This should result in no certificate errors.

Certificate verification in Microsoft Edge

Let’s test Autodiscover as well. In our example, our Autodiscover URL is, https://autodiscover.exchangeservergeek.com/autodiscover/autodiscover.xml. You will be prompted for credentials. Once entered, you will receive the following response. Despite it being an error, it is expected behavior. Autodiscover was expecting Outlook, not Microsoft Edge.

AutoDiscover Certificate in Microsoft Edge

Do the test results look good? Awesome! Your certificate is correctly installed.

More than one server?

If you have multiple Exchange servers, it is important that we copy this certificate to each Exchange Server. To do this, check our article on importing and exporting Exchange certificates.

If you have Exchange Hybrid

If you have Exchange Hybrid, it is highly likely your old certificate is being used for hybrid mail flow (forced TLS) between Exchange Online and Exchange on-premises.

If you are running Exchange Hybrid, rerun the Hybrid Configuration Wizard and select your new certificate for hybrid mail flow. When the hybrid configuration wizard is complete, you can delete the old certificate from Exchange.

HCW Transport Certificate

Delete the old certificate with PowerShell

Now that everything is correctly installed, we can delete the old certificate. To delete your old certificate, run the following command, specifying the old thumbprint. Hit Enter to confirm.

Note: I would recommend delaying the deletion of the old certificate for a few days just in case you need to roll back your changes.

 C:\> Remove-ExchangeCertificate -Server EX19-01 -Thumbprint B26C3C9B30A2A7371767275043816466CB921738 
Confirm 
Are you sure you want to perform this action? 
Remove certificate with thumbprint B26C3C9B30A2A7371767275043816466CB921738 from the computer's certificate store? 
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):

The old certificate will be removed. To confirm removal, rerun the Get-ExchangeCertificate cmdlet above.

Blocked from deleting the certificate?

If you are blocked from deleting the certificate because it is still bound to a connector, you can try a couple of things.

If the Hybrid Configuration Wizard created the connector, I would recommend rerunning the Hybrid Configuration Wizard and selecting the new certificate. Then, try to delete your certificate.

If the connector was not created with the Hybrid Configuration Wizard, or rerunning the Hybrid Configuration Wizard does not solve your problem, you can run the following commands.

First, we’ll need to capture the thumbprint from our new certificate. To do this, we will need to run the Get-ExchangeCertficate command. Using our previous example, the thumbprint highlighted in yellow, with the NotAfter date of 7/15/2024, is our new certificate.

 C:\> Get-ExchangeCertificate | Format-Table Subject, Thumbprint, NotAfter

Subject Thumbprint NotAfter
------- ---------- --------
CN=mail.exchangeservergeek.com BD09E758DF572307128D878697D3A766BDBEBF35 7/15/2024
CN=mail.exchangeservergeek.com B26C3C9B30A2A7371767275043816466CB921738 7/15/2023

With the thumbprint identified, we store our certificate in a variable with the following command.

 C:\> $tlscert = Get-ExchangeCertificate -Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35

We then need to grab two smaller pieces of data from that variable and store those two pieces in a new variable. In our example below, we capture the Issuer and Subject fields stored in the $tlscert variable, stitch them together, and store them in the $tlscertname variable.

 C:\> $tlscertname = (‘<I>’+$tlscert.issuer+'<S>’+$tlscert.subject)

You can type $tlscertname if you are curious about what that variable now contains.

Now that we have everything we need, we can reconfigure the connector with the old certificate attached. If you are unsure which connector the certificate is bound to, try deleting the certificate again, and the error will identify the connector using the certificate.

In our example below, we reconfigured our “Outbound to Office 365” send connector with the new certificate. We do this with the Set-SendConnector command.

 C:\> Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname

Repeat the final command on any additional send connectors. If you need to change this on a receive connector, you will use the Set-ReceiveConnector cmdlet instead.

Further Reading

Here are some articles I thought you might like.

  • Generate a Certificate Request for Exchange 2016 and Exchange 2019
  • Complete a Certificate Request for 2016 and Exchange 2019
  • Import & Export SSL Certificates in Exchange 2016 and Exchange 2019
  • Renew a Certificate in Exchange 2016 & 2019
  • Generate a Certificate Request for Exchange 2013
  • Complete a Certificate Request in Exchange 2013
  • Assign Services to a Certificate in Exchange 2013
  • Import & Export a Certificate in Exchange 2013
  • Renew a Certificate in Exchange 2013
Print Friendly, PDF & Email

Filed Under: Exchange Tutorials

About Gareth Gudger

Gareth is a former Microsoft MVP (2016-2024) specializing in Exchange and Office 365. Gareth previously contributed to the Office 365 for IT Pros book, which is updated monthly with new content. Find Gareth on LinkedIn, X, or, Facebook.

Reader Interactions

End of Article Form

Want to stay up to date?

Join thousands of IT professionals and get the latest Exchange & Office 365 tips and tutorials direct to your inbox

Comments

  1. Brian says

    October 23, 2023 at 8:04 am

    Thanks Gareth!

    With this new powershell only procedure, do you still need to apply the certificate to each of your exchange connectors? Or does this just “apply” it to them now when you assign the services of IIS, SMTP?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Want to stay up to date?

Sidebar Form

Join thousands of IT professionals and get the latest Exchange & Office 365 tips and tutorials direct to your inbox

DigiCert Banner 300x348

(help support us using our affiliate link)

Footer

Site Navigation

  • Subscribe to blog
  • About SuperTekBoy
  • Disclaimer
  • Privacy & Cookies
  • Contact Us

Want to stay up to date?

Footer Form

Join thousands of IT professionals and get the latest Exchange & Office 365 tips and tutorials direct to your inbox

Join the conversation

  • Twitter
  • LinkedIn
  • Facebook
  • YouTube
  • RSS

Copyright © 2025 · SuperTekBoy LLC

Share
Tweet
Share