none
certificate errors - internal transport certificate cannot be removed error and no valid smtp tls cert for fqdn

    问题

  • On my client access/HT servers i have 3 certificates installed.

    A. is an expired certificate that has imap, pop and smtp services assigned to it.  this was issued by our internal CA a while back.

    b. a godaddy cert that was purchased for and this has  IMAP, POP, IIS & SMTP services assigned to it.

    c. a self signed certificate that has SMTP assigned to it, not expired

    i tried to get rid of the A cert because its expired. but it gives me the this error when i try to remove it from the EMC:
    "The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate."

    im also seeing these errors in the event viewer:
    There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of XXXX.XXXXXX.org. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of hhuexch.hhunited.org should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

    i have the same issue with the expired cert and event log errors on both my CAS/HT servers. 

    running exchange 2010 sp2.

    im also seeing this error on both cas/ht servers, but not sure if it has anythign to do with the certificate issues.
    The store driver couldn't deliver the public folder replication message "Backfill Request (PublicFolderDatabase@company.com)" because the following error occurred: Property: [0x3ff00102] , PropertyErrorCode: UnknownError, PropertyErrorDescription: 0x80040107..

    i would appreciate any help with this.

    2013年4月24日 15:08

答案

  • Hi there,

    You may leave both the certificates or remove them.

    Exchange uses the latest certificate which was binding with Exchange services. So please enable certificate B with all services again, and then check in Application event log to make sure it is working now.


    Hope it is helpful.
    2013年4月25日 6:47

全部回复

  • http://exchangeserverpro.com/exchange-2013-the-internal-transport-certificate-cannot-be-removed/

    OM (MCITP) | Blog

    2013年4月24日 15:23
  • i ended up using the command 

    Get-ExchangeCertificate -Thumbprint certhumbprint | New-ExchangeCert

    and then i was ble to remove that old cert.

    question is do i need to have both of these certs in here besides the go daddy one? if the godaddy cert has all the services assigned to it anyway?

    2013年4月24日 17:37
  • You may remove the Certificate C, SMTP service uses the default self-signed certificate generated during installation.

    It works most of the cases unless you implement TLS which requies a 3rd-party certificate for SMTP service.


    OM (MCITP) | Blog

    2013年4月25日 1:36
  • Hi there,

    You may leave both the certificates or remove them.

    Exchange uses the latest certificate which was binding with Exchange services. So please enable certificate B with all services again, and then check in Application event log to make sure it is working now.


    Hope it is helpful.
    2013年4月25日 6:47
  • i found this on another site that helped me.

    Delete it from within MMC (Start-->Run--"mmc" enter) Add/remove snap-ins-->certificates-->computer account-->local computer. Look under Console root-->Certificates-->Personal-->Certificates. The certificate in question should be located there. Delete the certificate and then re-attempt deleting the certificate in question from Exchange Admin Console (EAC). Good luck.

    2014年12月4日 18:42
  • To be able to remove the SSL certificate you need to create a new certificate to replace the existing one as the internal transport certificate.

    [PS] C:\>New-ExchangeCertificate -IncludeServerFQDN -IncludeServerNetBIOSName

    with this you will get the certificates present

    Get-ExchangeCertificate

    remove the cert u want to remove

    remove-exchangecertificate -thumbnail "xxxxxxxxxxxxxxxxxxxxxxxxx"


    2015年5月8日 9:26
  • I know this is an old thread but it is still valid today.

    1.  If you already have your new cert installed an are getting that error.  Export the new cert using the mmc  and adding the certificate snapin.  insure you are able to export the private key.  If you cannot export the private key, then don't follow the rest of these instructions. 

    All the rest of the instructions use the exchange gui console.

    2.  Assign the services back to the old cert

    3.  Delete the new cert

    4.  import the new cert back in

    5.  Add services to the new cert. 

    6.  When it queues you to overwrite the exiting cert, select yes.

    7.  Delete the expired cert...

    8.  Test.  relish in your awesomeness..done.

    No reboot, no stoppage of services

    2016年3月4日 6:35
  • I know this is an old thread but it is still valid today.

    1.  If you already have your new cert installed an are getting that error.  Export the new cert using the mmc  and adding the certificate snapin.  insure you are able to export the private key.  If you cannot export the private key, then don't follow the rest of these instructions. 

    All the rest of the instructions use the exchange gui console.

    2.  Assign the services back to the old cert

    3.  Delete the new cert

    4.  import the new cert back in

    5.  Add services to the new cert. 

    6.  When it queues you to overwrite the exiting cert, select yes.

    7.  Delete the expired cert...

    8.  Test.  relish in your awesomeness..done.

    No reboot, no stoppage of services


    I actually didn't need to export and re-import the new cert.  All I had to do was right-click the new cert and click Assign services...  I didn't make any changes to the services (since they were already selected).  At the end of the wizard, it prompted me to overwrite the cert I was trying to remove.  I was then able to remove the cert manually.
    2016年11月6日 0:27
  • I actually didn't need to export and re-import the new cert.  All I had to do was right-click the new cert and click Assign services...  I didn't make any changes to the services (since they were already selected).  At the end of the wizard, it prompted me to overwrite the cert I was trying to remove.  I was then able to remove the cert manually.

    That works as long as the certificate had not already been assigned.  At least when using the GUI, you cannot unassign and reassign SMTP and IIS, if not others.
    2017年7月18日 12:09
  • This worked for me using the GUI with the services already assigned. Don't un-assign any services. Click ok and it will ask you to over write. Then removing the old one will work.


    • 已编辑 PABuck 2018年6月13日 14:47
    2018年6月13日 14:47