skip to Main Content

Remove Exchange certificate with PowerShell

We can remove an Exchange certificate in two ways. One of them is through PowerShell. The other is with the Exchange Admin Center (EAC). In this article, you will learn how to remove an Exchange certificate with PowerShell.

Get Exchange certificate

It’s good to get a list of the installed Exchange certificates first. After that, we will remove the certificate. Read the article Get Exchange certificate with PowerShell for more information.

Do you already know which Exchange certificate you need to remove? Run Exchange Management Shell as administrator. Run the following command.

[PS] C:\>Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, Subject, CertificateDomains | fl

Thumbprint         : AAA8920D8BA6F48902822F2D15GB1A63FEBCE71D
Services           : IMAP, POP, IIS, SMTP
NotAfter           : 16-2-2022 11:24:53
Subject            : CN=*, O=ALITAJRAN, OU=IT Department, L=The Hague, S=South-Holland, C=NL
CertificateDomains : {*,}

Thumbprint         : 89281F93928B282919A8F82929E82818188CF2EB
Services           : SMTP
NotAfter           : 12-11-2020 22:33:37
Subject            : CN=EX01
CertificateDomains : {EX01, EX01.alitajran.local}

We have two Exchange certificates installed on the Exchange Server. Both of them are bind to the SMTP service.

Certificates bound to the service SMTP are a little different than other services on an Exchange server. For example, if you bind a certificate to the service IIS, it removes the binding for any previous certificate and becomes the only certificate bound to that service. With SMTP, you can have multiple SSL certificates bound to the service.

Unbind Exchange certificate from service

We did run the Get-ExchangeCertificate cmdlet. After that, we know which certificate we want to remove. The certificate that we want to remove is the local certificate with thumbprint 89281F93928B282919A8F82929E82818188CF2EB.

The first step is to unbind the certificate from the SMTP service. Go to the Exchange Admin Center and open up the certificate. You will see that you can’t uncheck the SMTP service. It is greyed out. We need to use PowerShell to unbind the certificate from the SMTP service.

[PS] C:\>Enable-ExchangeCertificate -Services None -Thumbprint 89281F93928B282919A8F82929E82818188CF2EB

Remove Exchange certificate

The second step is to remove the certificate. Don’t remove the certificate until you’re 100% sure you don’t need it. It’s better to leave the certificate for a week or more before removing it. Run the command, press Y to confirm, and press Enter.

[PS] C:\>Remove-ExchangeCertificate -Thumbprint 89281F93928B282919A8F82929E82818188CF2EB

Are you sure you want to perform this action?
Remove certificate with thumbprint 89281F93928B282919A8F82929E82818188CF2EB from the computer's certificate store?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Certificate with thumbprint 89281F93928B282919A8F82929E82818188CF2EB is removed.


In this article, you learned how to remove the Exchange certificate with PowerShell. Don’t forget to unbind the service from the certificate first. After that, you can remove the certificate. Do you use the Exchange Admin Center or PowerShell?

Did you enjoy this article? You may also like Install Exchange certificate with PowerShell. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 2 Comments

  1. Thank you for your always helpful information.
    Can you assist on the following.
    On my Outlook, users are being issued an incorrect certificate I had used some time ago and this certificate does not show up at all on the Get Certificate exchange list or on any certificates in the exchange certificate store.
    The only place I still find a reference to this “certificate” is on my IIS bindings and DNS forwarders, and I removed it from there.
    Can you advise why this incorrect certificate keeps on being issued?

    1. You’re welcome.

      – Have a look at if there is a GPO in place that is adding the certificate.
      – I have seen that an IIS restart not always helps. Try to restart the Exchange Server.

Leave a Reply

Your email address will not be published. Required fields are marked *