Updating your TLS Certificate with Exchange Hybrid

When updating the certificate you need to complete this in three places these are as follows

1) How to install the new PFX certificate
2) Hybrid Wizard, this simply required a re-run choosing the new certificate
3) Send Connectors on "local" Exchange
4) Check you new certificate is active

Before you begin check mail flow for external connectors using this command:

Get-MailboxServer | Get-Queue -Exclude Internal

It should look like this with "zero" in the all the queues

How to install the new PFX certificate?

Once you have the certificate, in a PFX format you can follow this section, for my example I needed to create a CSR (certificate signing request) which was certified by out "external" certification provider.

Note : Lets remember when you create a CSR the private key, the one you need to make the certificate valid is stored on the server that generated the CSR, you cannot bind services to certificates that have no private key, if you do they will fail at the negotiation stage.

Simple one command to tell you:

Get-SendConnector | fl Name,SourceTransportServers

This will give you this, the servers here are the servers that require the certificate as they will be sending mail.....

Name                   : Mail to WWW
SourceTransportServers : {mailserver1, mailserver2, mailserveredge, mailserversmtp, mailserverinternal}

Name                   : Mail to Office 365
SourceTransportServers : {mailserver1, mailserver2, mailserveredge, mailserversmtp, mailserverrouting}

All the servers highlighted require the certificates. but as this can be changed in the GUI or PowerShell using Set-SendConnector I would install the certificates on all your Exchange servers, as if a server does not have the certificate it cannot send mail using it :) 

So to install the certificates first you need to install the certificates, so if you have a couple of servers do this:

Enter-PSSession -ComputerName mailserver1

$password= "securepassword" | ConvertTo-SecureString -AsPlainText -Force

Import-PfxCertificate -Exportable -Password $password -CertStoreLocation Cert:\LocalMachine\My -FilePath "\\sslcerts\PFX\cert.pfx"

If you have lots of servers, you can use this to accomplish the same thing, obvioulsy you will need to customise the TXT file of your servers:

$computers = c:\temp\servers.txt

ForEach ($remoteSystem in $computers){

    Enter-PSSession -ComputerName $RemoteSystem

$password= "securepassword" | ConvertTo-SecureString -AsPlainText -Force

       #Commands below this point will execute remotely

       Import-PFXCertificate -Password $password -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath "\\sslcerts\PFX\cert.pfx"



The response you need for this look like this:

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------

8452EB0AD2011DDB0977BD40C5FB8BD02BE0E010  CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB

NOTE : Please ensure you set complex passwords for your PFX files as they have your private keys and the private keys are not what you want getting out there in the wild, so even if its internal PLEASE set secure passwords, unless you delete the PFX one done!!!!!

Enable the Certificate

Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services SMTP

You need to enable the certificates on all servers, so you can use this:

Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services SMTP - Server mailserver1

Hybrid Wizard

Note :
Ensure you get the latest version of Hybrid Configuration wizard, as your login to EXO will not work with the older versions, to get the latest version visit > http://aka.ms/hybridWizard

This is a GUI, so no instructions really required, its very obvious what you need to do for an Exchange Administrator, if you are not an Exchange Administrator then please do not run this tool.

If you must look at screenshots you can do so by using these websites:


Or you can use this Google search:


Send Connectors - PowerShell magic

This is the simple one as it requires PowerShell so you margin for error is low, but you do need some group work before you start on this

First you need to know which Send Connectors have TLS required as these are the ones you will need to update, this is done with this command:

Get-SendConnector | fl Name,RequireTLS

This will return this, names changed for security people:

Name       :  Mail to the WWW
RequireTLS : True

Name       : Internal Mail
RequireTLS : False

Name       : Mail to Office 365
RequireTLS : True

We only care the ones where RequireTLS is true the others you can ignore as they are not affected by the SSL update as they do not use SSL.

Then to get the certificate used you will need this command:

Get-SendConnector | fl Name,TLSCertificateName

This will return this:

Name               : Mail to WWW
TlsCertificateName : <I>CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See

                     www.entrust.net/legal-terms, O="Entrust, Inc.", C=US<S>CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB

Name               : Mail to Office 365
TlsCertificateName : <I>CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See

                     www.entrust.net/legal-terms, O="Entrust, Inc.", C=US<S>CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB

This shows us the certificates used, to check this you will need to use the command:

Get-ExchangeCertificate - Server mailserver1

Which will return on the certificates, but I have filtered for the one we require only, as you can see there are two here, the new one and the old one.....

1587571469341BFB814578745764FFD11970EA80E4C  ....S..    CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB
6958471469341BFB814578745764FFD11970DQ548RT .......    CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB

The one in bold is the new one as it does not have a "S" assigned to it for "send connector" so the top one is the old one and the new one is the bottom one......

So then you need to run these commands, the first one gets the new SSL certificates and sets that data with the variable $TLSCert and $TLSCertName which is require for the connectors:

$TLSCert = Get-ExchangeCertificate -Thumbprint 6958471469341BFB814578745764FFD11970DQ548RT -Server mailserver1

$TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"

Now you need to update the send connectors with the new certificate, this is simple from this point and it looks like this:

Set-SendConnector "Mail to WWW" -TlsCertificateName $TLSCertName
Set-SendConnector "Mail to Office365" -TlsCertificateName $TLSCertName

Once this command completes you have sucesfully update your SSL certificate for the send connectors and if you run this command:

Get-ExchangeCertificate - Server mailserver1

It should now look like this:

1587571469341BFB814578745764FFD11970EA80E4C  ....S..    CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB
6958471469341BFB814578745764FFD11970DQ548RT ....S..    CN=mailflow.a6n.co.uk, O=Mail Services, L=Coventry, C=GB

Do not worry about the "S" on the old certificates, Exchange still has it cached, and you will be deleting soon anyway, if you are not sure back it up first :) 

Once done, sure you run this command:

Get-MailboxServer | Get-Queue -Exclude Internal

You need ensure you queues all end up on "zero" again, if they have messages in them the status needs to be "Active" and not "Retry" if you see retry and the messages continually climb upwards you have done something wrong or skipped a step.

Check you new certificate is active

Check you new certificate is active as if you miss this step all the above is for nothing it will still expired, in my example we have a appliance that managed the SSL on the older certificate, I found this using many of the websites you can use to check SSL certificates, I use this one:


There are many you can use, all it takes is a Google, unless you use Uptime Robot Pro then it does this for you, or if you use an iPhone you can use an application called "TLS Inspector"

Once this was updated on the SSL appliance all was good, lets be clear here this SSL certificate being expires would not affect mail flow outside the company but in our case the MRS endpoint and Hybrid connection would be offline as they are used by this certificate.

If you use a chain not on the SSL insider programme like we do, then you need to ensure that the certificate is also linked to the chain on the appliance, if you miss this step then people who do not trust this certificate will fail to connect, the below shows no errors with "chain issues" - this needs to say "None" if you use a CA not on the insider programme.

It is always worth checking the basic, as after all that work without this check if would all have failed.