To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC…
Remove certificate in Exchange Server
There are two methods to remove an Exchange Server certificate. The first method is to delete the certificate in Exchange server with Exchange Admin Center (EAC). The second method is to remove the certificate with PowerShell. Before we start, did you assign a new certificate to the Exchange services? We recommend waiting a week before removing the certificate. If the certificate is assigned to Exchange services, the certificate can’t be removed.
Table of contents
Remove certificate in Exchange admin center
Let’s look at how to remove the Exchange certificate in Exchange admin center with the below steps:
- Sign in to Exchange Admin Center
- Click servers > certificates
- Select the certificate that you like to remove from the list view
- Click the delete icon
Note: Ensure another certificate is installed and assigned to the Exchange services before you press delete.
- A warning shows up if you are sure to remove the certificate
- Click OK
- The Exchange certificate is successfully removed
Didn’t you get an error message that it’s not possible to remove the certificate? Then you can assume that you did remove the certificate in Exchange Server successfully. It’s always good to double-check. In the next step, we will verify that the certificate is removed from the Exchange Server.
Read more: A special rpc error occurs on server »
- Check the installed certificates in Exchange Server and confirm that the certificate doesn’t appear in the list
Do you have more than one Exchange Server running in the organization? Repeat the steps described in this article on the remaining Exchange Servers.
Remove Exchange certificate with PowerShell
In the below steps, you will learn how to remove an Exchange certificate with PowerShell.
Get Exchange certificate
It’s good to get a list of the installed Exchange certificates first. After that, we will remove the certificate. Read the article Get Exchange certificate with PowerShell for more information.
Run Exchange Management Shell as administrator and run the Get-ExchangeCertificate cmdlet.
[PS] C:\>Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, Subject, CertificateDomains | fl
Thumbprint : 1AEF337DFC2B537D9E0D0C89D1AE55749AF2660B
Services : SMTP
NotAfter : 5/1/2027 9:15:30 PM
Subject : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
Thumbprint : E55A7CE736B5798A1A694F1D0515227E35F97514
Services : IIS, SMTP
NotAfter : 5/1/2027 7:53:26 PM
Subject : CN=EX01-2019
CertificateDomains : {EX01-2019, EX01-2019.exoip.local}
Thumbprint : E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9
Services : IMAP, POP, IIS, SMTP
NotAfter : 7/19/2022 11:14:01 AM
Subject : CN=mail.exoip.com
CertificateDomains : {mail.exoip.com, autodiscover.exoip.com}
Thumbprint : 5C542FF3253B641876C77C70404625154B723E25
Services : None
NotAfter : 4/13/2032 5:38:47 PM
Subject : CN=WMSvc-SHA2-EX01-2019
CertificateDomains : {WMSvc-SHA2-EX01-2019}We have four Exchange certificates installed on the Exchange Server. Three certificates are bound to the SMTP service.
Note: Certificates bound to the service SMTP are a little different than other services on an Exchange server. For example, if you bind a certificate to the service IIS, it removes the binding for any previous certificate and becomes the only certificate bound to that service. With SMTP, you can have multiple SSL certificates bound to the service.
Do you already know which Exchange certificate you need to remove? Then, let’s find out how to remove the Exchange certificate in the next step.
Remove Exchange certificate
We did run the Get-ExchangeCertificate cmdlet. After that, we know which certificate we want to remove. The certificate that we want to remove is the local certificate with thumbprint E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9.
Note: Don’t remove the certificate until you’re 100% sure you don’t need it. It’s better to leave the certificate for a week or more before removing it.
Run the Remove-ExchangeCertificate cmdlet, press Y to confirm, and press Enter.
[PS] C:\>Remove-ExchangeCertificate -Thumbprint E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9
Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9 from the computer's certificate store?
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): YThe certificate with thumbprint E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9 is removed successfully.
Keep reading: Install FREE Let’s Encrypt certificate in Exchange Server »
Conclusion
You learned how to remove a certificate in Exchange Server. Remember that you don’t remove the certificate immediately. Make sure that you assign another certificate to the Exchange services. Wait it out and remove the certificate, for example, after a week.
Unfortunately, you can’t unbind the service from the certificate. Instead, you have to re-assign the services to another certificate first. After that, you can remove the certificate.
I hope that this article helped you to remove the Exchange certificate in Exchange Server. What do you prefer, removing the certificate in Exchange Admin Center or with PowerShell?
Did you enjoy this article? You may also like Install Exchange certificate with PowerShell. Don’t forget to follow us and share this article.
What Others Are Reading
Hi,
Today I have some problems with my certificate, my certificate has already been removed. I can access Exchange Server 2019 from the browser but I can’t log in. My question is how to solve my problem. Thanks
Hi Ali,
I’ve replaced my expired exchange certificate and assigned all the services to the new one (SMTP, POP, IIS etc…) But when I attempt to delete the old, expired certificate, I get the pop up that it’s still bound to one of my send connectors. Is it ok to proceed to delete the old certificate or will mail flow be affected?
Hi Tina,
You should not be able to delete the certificate if it’s bound to a connector.
Check which certificate is bound to the send connector and replace it with the new certificate.
You can see how to do it in the article Renew certificate in Exchange Hybrid.
Thanks Ali! Worked perfectly!
Thank you for a great blog. This is so informative. I would also like to write a Powershell script to run every 60 days inserting a new certificate.
So the initial 3rd party certificate we installed didn’t have the SAN for autodiscover. We acquired the correct UCC certificate with the same subject name as the original 3rd party one and the correct SAN’s, installed it, and assigned it to the Exchange services successfully. OWA works correctly as does autodiscover now.
For the old certificate, should it still show as assigned to Exchange services in the EAC? When I look at it, IIS is unchecked, but SMTP, IMAP, & POP still have a greyed out check box that can’t be unchecked. Is it safe to delete it in this state?
It would be nice if it were unchecked (not greyed out). But, that’s something we have to deal with. Hopefully, the Exchange team will correct this in the future.
You can safely remove the old certificate.
Thx for your post.
However, trying to unbind the certificate from the SMTP service does not do anything.
Enable-ExchangeCertificate -Services None -Thumbprint xxxxx does not give any error or msg.
Unbind Exchange certificate from service will not work anymore. I updated the article with the latest information.
Thank you for your always helpful information.
Can you assist on the following.
On my Outlook, users are being issued an incorrect certificate I had used some time ago and this certificate does not show up at all on the Get Certificate exchange list or on any certificates in the exchange certificate store.
The only place I still find a reference to this “certificate” is on my IIS bindings and DNS forwarders, and I removed it from there.
Can you advise why this incorrect certificate keeps on being issued?
Thanks
You’re welcome.
– Have a look at if there is a GPO in place that is adding the certificate.
– I have seen that an IIS restart not always helps. Try to restart the Exchange Server.