I assigned a new SSL cert to the SMTP service on my Exchange 2013 server and got the prompt about overwriting the old one. However, the old cert is still bound to the SMTP service and I can’t uncheck the box. Do I need to reboot the server or can I just restart the SMTP service to unbind it?
Certificates bound to SMTP are a little different than other services on an Exchange server. If you bind a certificate to IIS for example, it removes the binding for any previous certificate, and becomes the only certificate bound to that service. However with SMTP you can have multiple SSL certificates bound to the service.
Here’s an example:
As you can see I’ve got my SAN certificate bound to IMAP, POP, IIS, and SMTP. But then I’ve also got two additional certificates bound to SMTP. These are self-signed certificates created by Exchange setup.
Why do I have two? It’s possible I’ve reinstalled this server at some stage, or manually created one of them. Regardless, you can see that
multiple certificates are bound to SMTP, which is the point I’m making.
Anyway, let’s say for some reason we want to remove one of those self-signed certificates, or at the very least unbind it from SMTP. To bind a certificate to a service we use Enable-ExchangeCertificate. however there is no corresponding Disable-ExchangeCertificate cmdlet.
As Victor points out, trying to do it via the Exchange Admin Center is impossible – the tick box is greyed out.
However we still have a PowerShell solution to the problem. If you look closely at the documentation for Enable-ExchangeCertificate you can see that the -Services parameter accepts a value of “None”.
So this command will set the certificate with a thumbprint of “5C5E9124B0960BBFB570596AAE6902742D95361E” to be bound to no services on the server.
If you want to remove the certificate from the server entirely use Remove-ExchangeCertificate. However, don’t do this until you’re 100% sure you don’t need the certificate any more. I have seen customers who delete a certificate only to later realise that the server was still using that certificate for something.