skip to Main Content

Renew certificate in Exchange Hybrid

How to renew a certificate in Exchange Hybrid? You have a new third-party certificate installed on the Exchange Server. Now that you finished that task, you like to remove the old certificate. But, you get a message that these certificates are tagged with the Outbound to Office 365 send connector. Why is this happening, and what is the solution?

Invalid Exchange certificate

Sign in to the Exchange Server. Navigate to servers > certificates. Select the Exchange Server from the drop-down menu if you have multiple Exchange Servers.

In our example, we have an invalid certificate.

Important: In production environments, you need to renew the certificate before it gets invalid. Otherwise, mail flow will not work.

Exchange third-party certificate date invalid

Install Exchange certificate

We did install a free Let’s Encrypt certificate on the Exchange Server. Also, we did assign it to the services IMAP, ISS, and SMTP. The certificate shows the status Valid.

Exchange third-party certificate date valid

Read more: Install Exchange certificate with PowerShell »

These certificates are tagged with following Send Connectors

The new certificate is installed and valid. However, the old certificate is invalid. Let’s remove the old certificate on the Exchange Server to keep everything tidy.

When we want to remove the invalid Exchange certificate, we do get an error.

Error these certificates are tagged with following Send Connectors Outbound to Office 365

A special Rpc error occurs on server EX02-2016: These certificates are tagged with following Send Connectors : Outbound to Office 365 – d1c9beac-0655-48e7-9949-5e497af1d38d. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.

Why do we get this error, and what is the solution for removing the certificates that are tagged with the send connector Outbound to Office 365?

Renew certificate in Exchange Hybrid with PowerShell

The solution to this error is that we need to assign the new certificate to the:

  1. Send connector: Outbound to Office 365
  2. Receive connector: Default frontend

Important: Do the same steps on the other Exchange Servers.

Follow these steps:

Step 1. Collect information

Double-click the new certificate in the Exchange admin center. Copy the Thumbprint.

Copy new certificate thumbprint

Go to mail flow > send connectors. Copy the Outbound to Office 365 send connector name. In our example, it’s Outbound to Office 365 – d1c9beac-0655-48e7-9949-5e497af1d38d.

Copy send connector outbound to Office 365 name

Go to mail flow > receive connectors. Copy the Default Frontend receive connector name. In our example, it’s Default Frontend EX02-2016.

Copy default frontend name

Step 2. Set the new certificate

Run Exchange Management Shell as administrator. Get the Exchange certificate with the thumbprint that you copied in the previous step.

PS] C:\>Get-ExchangeCertificate -Thumbprint "2936E663C57F488BDC11661357DB60D031A90CE8"

Thumbprint                                Services   Subject
----------                                --------   -------
2936E663C57F488BDC11661357DB60D031A90CE8  I..WS..

Store the value to the $TLSCert variable.

[PS] C:\>$TLSCert = Get-ExchangeCertificate -Thumbprint "2936E663C57F488BDC11661357DB60D031A90CE8"

Store the certificate issuer and certificate subject values to the $TLSCertName variable.

[PS] C:\>$TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"

Run the Set-SendConnector cmdlet, including the TlsCertificateName parameter. Fill in the send connector name that you copied in the previous step.

[PS] C:\>Set-SendConnector "Outbound to Office 365 - d1c9beac-0655-48e7-9949-5e497af1d38d" -TlsCertificateName $TLSCertName

Run the Set-ReceiveConnector cmdlet, including the TlsCertificateName parameter. Fill in the receive connector name that you copied in the previous step.

[PS] C:\>Set-ReceiveConnector "EX02-2016\Default Frontend EX02-2016" -TlsCertificateName $TLSCertName

You can get a warning as output when you run the Set-SendConnector and Set-ReceiveConnector cmdlets. That’s because the new certificate’s Issuer field and certificate’s Subject field are the same as the old certificate.

In our example, we did add a new Let’s Encrypt certificate. But, the old certificate is also from Let’s Encrypt. That’s why we did get the below error.

WARNING: The command completed successfully but no settings have been modified.

When you see the above warning, you don’t have to worry. But, you should delete the old certificate. Unfortunately, it will not let you delete it in the Exchange admin center because it still thinks it’s connected to both the connectors.

View the certificates in the MMC snap-in, and delete the invalid certificate in the Personal store. An excellent way to identify the certificate is by checking the Expiration Date.

Delete expired certificate

Go back to the Exchange admin center. Refresh the page or click the refresh icon in the toolbar. The old certificate is removed successfully, and the new certificate is still available.

Only new certificate available in Exchange admin center certificates list

Step 3. Restart IIS

Restart the Internet Information Services (IIS) on the Exchange Server.

[PS] C:\>iisreset

Renew certificate in Exchange Hybrid with Office 365 Hybrid Configuration Wizard

Another way to renew the Exchange Hybrid certificate is to rerun the Hybrid Configuration Wizard. Connect in the first step with your credentials and go through the setup wizard by clicking the Next button.

You will see the Transport Certificate window in the setup wizard. Choose the new certificate. Click next.

Select new certificate in Exchange Hybrid Configuration Wizard

Click on update.

Office 365 Hybrid Configuration Wizard ready for update

The Office 365 Hybrid Configuration Wizard configured the new certificate for both the send connector and receive connector.

Office 365 Hybrid Configuration Wizard completed

That’s it!

Keep reading: Renew Microsoft Exchange Server Auth Certificate »


In this article, you learned how to renew the Exchange Hybrid certificate. Collect the new certificate information and run the commands to set the TLS certificate on the send connector and receive connector. Another way is to rerun the Office 365 Hybrid Configuration Wizard and select the new certificate.

Did you enjoy this article? You may also like How to export certificate in Exchange Server. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 22 Comments

  1. So there isnt really a need to run HCW, correct? as long as I run the ps cmdlet to bind the cert to services?

  2. We are running Exchange Server 2016 and followed these excellent directions. Thank you. One question though is when I run Get-HybridConfiguration the tlscertificate is not updated to the new cert. Is this normal following the update of the connectors without running the HCW?

  3. Nice write up Ali. I currently import LE certs with Import-ExchangeCertificate and the assign services using

    Get-ExchangeCertificate -Server $env:COMPUTERNAME -Thumbprint $THUMB | Enable-ExchangeCertificate -Force -Services POP,IMAP,SMTP,IIS

    Just wondering if that would work rather than using Set-SendConnector and Set-ReceiveConnector cmdlets?

  4. When rerunning the Office 365 Hybrid Configuration Wizard, all of the settings will remain the same as when it was setup? Just click through it, with the exception of adding the new certificate in the Transport Certificate window?

  5. Hi Ali,

    With regards SSL, do we need to keep the DigiCert webmail certificate once hybrid is gone or can we replace it with one from our own CA? So in essence once we are down to the last server, do we still need external SSL?


  6. I have two certificates for two different domain names on the server and in Exchange. How can I tell which certificate is currently used by the two connectors?

  7. Thanks for this – I guess running the hybrid config wizard is the easiest and fastest way of doing this.
    Is it true that if i run the hybrid configuration wizard i won’t have to manually setup the following:
    – manually setup the services to the new cert (SMTP, IIS, POP, IMAP)
    – manually setup the cert on the relevant connectors
    – delete the old certificate

    thank you!

      1. Hi Ali – thanks for reply! So request for .req via exchange admin centre, renew via third party. go back to exchange admin centre and complete the pending request to upload the new certificate and give it the appropriate services such as SMTP,IIS,POP,IMAP and then rerun exchange hybrid? do i need to restart IIS at any point if going by the wizard? thanks!~

  8. Thanks Ali! great write up.

    Normally I get a contractor to renew our exchange SSL cert but this time I did it in house.

    Thanks again.

  9. Hi,
    Do we need to update the other Receive connectors or just the Default Frontend connector in a Hybrid setup when renewing the certificate?

  10. Thank you for the article, just one question – if you’re doing it the “manual” way is there any requirement to also use the Set-HybridConfiguration to set the TlsCertificateName property aswell?

  11. Thanks Ali, highest praise!!! All your articles are well researched and quite detailed. These days whenever I need to check sth quickly about exchange, I always look if your website has it covered, no dissapointments 🙂 Keep up good work!

  12. Hi Ali,

    Thank you very much for this article. It helped me a lot.
    Keep up the good work!

    Kind regards

  13. Thanks for this article and actually many of your other article on this site are excellent and have helped me.

Leave a Reply

Your email address will not be published. Required fields are marked *