locked
Correct way to remove smtp services from certificate RRS feed

  • Question

  • Hi

    We have a Exchange 2013 Std single server environment. We have an external godaddy certificate already assigned to IIS & smtp services. However the server is failing a PCI scan for the reason that a selfsigned certificate is also assigned to the smtp service and this certificate is being returned in favour of the real certificate. In the Exchange web console the services for the self signed certificate are greyed out and cannot be unticked. What is the correct way for removing these services. The self signed certificates that have these services bound are:

    Microsoft Exchange

    Microsoft Exchange Server Auth Certificate.

    I'm assuming that these certificates need to be retained for other aspects of exchange 2013 to work.

    Thanks

    Friday, June 19, 2015 9:39 AM

Answers

  • Ok, so i basically followed the route i'd taken before on another exchange server. for interest if anybody is in the same position what i did was go into iis, assign the real certifiacte to the exchnage website, then remove / delete the exchnage selfsigned cert (after a export - just in case). Run an iisreset and the rela cert was now answering calls on the smtp service. Why do you have to do this - because if i didn't the exchnage powershell and admin web portal stop working. Why MS do it this way is beyond me, however it seems to work. It doesn't seem the correct way though (why can we not just remove the smtp service from that cert - would be easier.....)

    Roger

    • Marked as answer by jim-xu Tuesday, June 30, 2015 9:08 AM
    Monday, June 22, 2015 3:23 PM

All replies

  • Hi Roger,

    If you are okay to use a self-signed certificate, Generate a new one and assign the services to it. Services will be automatically removed from the GoDaddy one.

    Yes there are some Self-Signed certificates used by the exchange backend to communicate internally, hence don't remove them. They are automatically created when you install exchange.

    Create a digital certificate request

    https://technet.microsoft.com/en-us/library/bb125165(v=exchg.150).aspx

    Follow the certificate assignment part from this one:

    https://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2013.htm


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, June 19, 2015 12:10 PM
  • Satyajit

    I want to keep the real godaddy certificate and remove the services for smtp from the selfsigned certificate. From what i gather looking at the forums the only way of doing this is to export the selfsigned certificate, then remove the selfsigned certificate and then re-import it and not assign it to the smtp service - does anybody know if this is the correct procedure ?

    Roger

    Saturday, June 20, 2015 8:50 AM
  • Hi roger, 

    Thank you for your question. 

    We could use the following command to check if get the self-sign certificate: 

    Get-ExchangeCertificate 

    If we could get Exchange self-sign certificate, we could use the following command to disable SMTP service on self-sign certificate: 

    Disable-ExchangeCertificate –Thumbprint xxxxxx –Service SMTP 

    Then we could wait AD replication, then to check if the issue persist. 

    If there are any questions regarding this issue, please be free to let me know. 

    Best Regard, 

    Jim


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Monday, June 22, 2015 3:02 AM
  • Hi Roger,

    As per my understanding even if the certificates are shown to be assigned to some services doesn't necessarily mean they are used for those services live\currently.

    When you import a new certificate and assign services to it, you would get a prompt.(provided you have old cert already in-place)

    Asking to Confirm overwriting existing certificates assigned to services. as shown here.

    You can validate this by opening OWA and check the certificate presented to you.

    The point is you don't need to remove the self-signed certificate which exchange generated for you.

    Basically the Assigned Services will come into play when you are actually using the certificate.

    For instance the IIS->Default Web Site and IIS->Exchang Back End has separate binding certificates for SSL. When you view from EAC it just shows you services assigned IIS,SMTP. But what it doesn't tell you is that its been used in two different places or its been overwritten by a newer one already.

    As explained in this article Checkboxes Greyed Out When Managing Services for an Exchange 2013 SSL Certificate:

    Exchange 2013 will not allow you to disable/unassign an SSL certificate from a service that requires SSL. Instead, you should enable another SSL certificate to that service, which will automatically disable the existing one for you (for that specific service, not necessarily all services).

    NOTE:- If you want to remove old Godaddy certificate that no longer in use, run the below cmdlet.

    Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e

    Similar issue:

    Remove Services assigned to Exchange Certificate:

    https://social.technet.microsoft.com/forums/exchange/en-US/15e79a3e-023e-456c-a021-1d8a24bc3b82/remove-services-assigned-to-exchange-certificate


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    Monday, June 22, 2015 3:43 AM
  • Hi

    Would this just disable the certificate for use with the smtp service - all other functions would remain ?


    Also i don't see a 'disable-exchangecertificate' powershell comand in my exchange 2013 ?
    Monday, June 22, 2015 8:59 AM
  • The self-signed certificate IS being used for smtp (tested) and i want to stop using this self signed certificate for Smtp and start using the real godaddy one. I'm looking for the correct way to do this. Does anybody have an idea of how to do this ?
    Monday, June 22, 2015 11:55 AM
  • Hi Roger,

    Please let me know, if my earlier post made anysense, I'll try to explain more if you need so.

    Use the below cmdlet to find available powershell comands in your exchange 2013

    Get-Command *-ExchangeCertificate
    
    CommandType     Name
    -----------     ----
    Function        Enable-ExchangeCertificate
    Function        Export-ExchangeCertificate
    Function        Get-ExchangeCertificate
    Function        Import-ExchangeCertificate
    Function        New-ExchangeCertificate
    Function        Remove-ExchangeCertificate

    Refernces:

    Exchange certificate cmdlets:

    https://technet.microsoft.com/en-us/library/dd351246(v=exchg.150).aspx


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, June 22, 2015 12:13 PM
  • Ok, so i basically followed the route i'd taken before on another exchange server. for interest if anybody is in the same position what i did was go into iis, assign the real certifiacte to the exchnage website, then remove / delete the exchnage selfsigned cert (after a export - just in case). Run an iisreset and the rela cert was now answering calls on the smtp service. Why do you have to do this - because if i didn't the exchnage powershell and admin web portal stop working. Why MS do it this way is beyond me, however it seems to work. It doesn't seem the correct way though (why can we not just remove the smtp service from that cert - would be easier.....)

    Roger

    • Marked as answer by jim-xu Tuesday, June 30, 2015 9:08 AM
    Monday, June 22, 2015 3:23 PM
  • Hi Roger,

    Using IIS to directly assign works, but isn't the right way to do that. You should use EAC or EMS for Exchange related certificates.

    Please let me know, how did you generate the certificate request for the certificate to begin with.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, June 23, 2015 5:38 AM
  • Hi Roger,

    I am sorry that the command “Disable-ExchangeCertificate” has been not existed on Exchange 2013.

    When you restart IIS and it work, it may be caused by cache.

    If there are any questions regarding this issue, please be free to let me know.

    Best Regard,

    Jim


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Monday, June 29, 2015 8:41 AM