skip to Main Content

Remove Exchange certificate with PowerShell

We can remove an Exchange certificate in two ways. One of them is with PowerShell. The other is in Exchange Admin Center (EAC). In this article, you will learn how to remove an Exchange certificate with PowerShell.

Get Exchange certificate

It’s good to get a list of the installed Exchange certificates first. After that, we will remove the certificate. Read the article Get Exchange certificate with PowerShell for more information.

Run Exchange Management Shell as administrator and run the Get-ExchangeCertificate cmdlet.

[PS] C:\>Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, Subject, CertificateDomains | fl


Thumbprint         : 1AEF337DFC2B537D9E0D0C89D1AE55749AF2660B
Services           : SMTP
NotAfter           : 5/1/2027 9:15:30 PM
Subject            : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}

Thumbprint         : E55A7CE736B5798A1A694F1D0515227E35F97514
Services           : IIS, SMTP
NotAfter           : 5/1/2027 7:53:26 PM
Subject            : CN=EX01-2019
CertificateDomains : {EX01-2019, EX01-2019.exoip.local}

Thumbprint         : E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9
Services           : IMAP, POP, IIS, SMTP
NotAfter           : 7/19/2022 11:14:01 AM
Subject            : CN=mail.exoip.com
CertificateDomains : {mail.exoip.com, autodiscover.exoip.com}

Thumbprint         : 5C542FF3253B641876C77C70404625154B723E25
Services           : None
NotAfter           : 4/13/2032 5:38:47 PM
Subject            : CN=WMSvc-SHA2-EX01-2019
CertificateDomains : {WMSvc-SHA2-EX01-2019}

We have four Exchange certificates installed on the Exchange Server. Three certificates are bound to the SMTP service.

Note: Certificates bound to the service SMTP are a little different than other services on an Exchange server. For example, if you bind a certificate to the service IIS, it removes the binding for any previous certificate and becomes the only certificate bound to that service. With SMTP, you can have multiple SSL certificates bound to the service.

Do you already know which Exchange certificate you need to remove? Then, let’s find out how to remove the Exchange certificate in the next step.

Remove Exchange certificate

We did run the Get-ExchangeCertificate cmdlet. After that, we know which certificate we want to remove. The certificate that we want to remove is the local certificate with thumbprint E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9.

Note: Don’t remove the certificate until you’re 100% sure you don’t need it. It’s better to leave the certificate for a week or more before removing it.

Run the Remove-ExchangeCertificate cmdlet, press Y to confirm, and press Enter.

[PS] C:\>Remove-ExchangeCertificate -Thumbprint E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9

Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint 89281F93928B282919A8F82929E82818188CF2EB from the computer's certificate store?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Certificate with thumbprint E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9 is removed.

Conclusion

You learned how to remove the Exchange certificate with PowerShell. Unfortunately, you can’t unbind the service from the certificate. Instead, you have to re-assign the services to another certificate first. After that, you can remove the certificate.

Did you enjoy this article? You may also like Install Exchange certificate with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 4 Comments

  1. Thx for your post.

    However, trying to unbind the certificate from the SMTP service does not do anything.

    Enable-ExchangeCertificate -Services None -Thumbprint xxxxx does not give any error or msg.

  2. Thank you for your always helpful information.
    Can you assist on the following.
    On my Outlook, users are being issued an incorrect certificate I had used some time ago and this certificate does not show up at all on the Get Certificate exchange list or on any certificates in the exchange certificate store.
    The only place I still find a reference to this “certificate” is on my IIS bindings and DNS forwarders, and I removed it from there.
    Can you advise why this incorrect certificate keeps on being issued?
    Thanks

    1. You’re welcome.

      – Have a look at if there is a GPO in place that is adding the certificate.
      – I have seen that an IIS restart not always helps. Try to restart the Exchange Server.

Leave a Reply

Your email address will not be published.