9

Should I Overwrite The Default Exchange SMTP Certificate?

When adding a TLS certificate on an Exchange server, the inevitable prompt will appear to enquire if you wish to overwrite the default SMTP certificate binding.  While the UI in the current versions of Exchange is slightly different, it was basically the same prompt in Exchange 2010 & Exchange 2007.

Exchange Prompt To Overwrite Default SMTP Certificate

While the prompt language was the same in Exchange 2007 and newer versions, the way that transport deals with TLS certificates did change significantly in Exchange 2010.  Exchange 2007 allowed only a single certificate to be bound to SMTP, and thus that certificate needed to have all of the required names.   In Exchange 2010, the transport service became more intelligent and was able to determine which TLS certificate should be used based on the connection.

This process is documented for Exchange 2010 here.

The below flowchart illustrates the logic:

Exchange 2010 SMTP Certificate Selection Flowchart

When an SMTP session is established, the receiving server initiates a certificate selection process to determine which certificate to use in the TLS negotiation. The sending server also performs a certificate selection process. For more information about that process, see Selection of Outbound Anonymous TLS Certificates.  From this link, step 5 outlines some of the pertinent aspects of the certificate selection:

The certificate selection process searches for all certificates in the certificate store that have a matching FQDN. From this list, the certificate selection process identifies a list of eligible certificates. Eligible certificates must meet the following criteria:

  • The certificate is an X.509 version 3 or a later version certificate.
  • The certificate has an associated private key.
  • The Subject or Subject Alternate Name fields contain the FQDN that was retrieved in step 3.
  • The certificate is enabled for SSL/TLS use. Specifically, the SMTP service has been enabled for this certificate by using the Enable-ExchangeCertificate cmdlet.

In a nutshell, the fundamental difference with Exchange 2010 onwards is that multiple TLS certificates can be bound to SMTP

To Overwrite, Or Not Overwrite...

While the documentation says that there is typically no need to overwrite the default SMTP certification, I have noted that most customers actually do this as they click the default option which is to overwrite.

In most cases this does not cause issues as they are not using Edge servers for example.  They also typically leave the additional SMTP binding so that transport can use both certificates.

My default preference is NOT to overwrite the default SMTP certificate.

Please note that CAS is separate from transport.  The IIS binding will be changed from the default CAS configuration, as we do NOT want users to get certificate errors in Outlook.

Walkthrough of Prompts to Overwrite Default SMTP Certificate

The below screenshots illustrate the UI shown when updating TLS certificate on Exchange.

Assigning Services To An Exchange Certificate - Starting The Wizard

We then chose to bind the certificate to IIS and SMTP services by selecting their respective boxes.

Assigning Services To An Exchange Certificate - Assigning Services to IIS and SMTP

Note that it is at this point we get the warning, and question if we want to overwrite the default SMTP certificate.  There is no prompt for if were to choose only IIS as that follows the Highlander principle.  *

Warning - Do You Want to Overwrite the Default SMTP Certificate

Additional Consideration

As an additional note, please note that we use a designated TLS certificate to encrypt cross-premises messages from Exchange to Exchange Online Protection.

If you have updated the on-premises SMTP certificate, please review your hybrid configuration as it is likely you will need to re-run the Hybrid Configuration Wizard (HCW).

As a reminder, the below is what you will see when running the HCW and are prompted to choose the TLS certificate.

Exchange Hybrid Wizard - Select Transport SMTP Certificate

 

Cheers,

Rhoderick

*  There can be only one!

Rhoderick Milne [MSFT]

9 Comments

  1. Hi Rhoderick,

    Thanks for the post. One scenario not mentioned where I think it makes sense to overwrite the default is when you renew the self-signed certificate (the original default). Would you agree? If not, can you shed any light on the why?

    Thanks in advance.

    • Hi Jeremy,
      For that scenario, yes I would overwrite.

      When done, then I would also remove the old expired cert as well.

      Cheers,
      Rhoderick

  2. Good day, Rhoderick.
    Like some of your customers, I overwritten default SMTP certificate, while renewing the public certificate in my Exchange 2016 environment. Is there a way to restore the original setting? By default it is a Microsoft Exchange self-signed certificate that is being used for SMTP, correct?
    Thank you.

  3. Hi Rhoderick, as a "backup" connectivity protocol I need to enable IMAP for my roaming users.
    The official procedure (https://learn.microsoft.com/en-us/exchange/clients/pop3-and-imap4/configure-imap4?view=exchserver-2016) consists of:
    - to enable imap services
    - set imap settings (fqdn and connectivity bindings/protocols)
    - Configure the authenticated SMTP settings for internal and external clients, since when you enable imap to read emails you must also have a valid smtp server to be able to send emails as well. This step consists of overwriting the default Exchange self-signed certificate.

    What you write in your article apparently constrasts with what is being said in the MS article regarding the overwriting the smtp certificate. My guess is that I should replace the default Exchange self-signed certificate for my goal, otherwise the subject name in the certificate does not match the dns name set in the imap settings.
    But I am concerned about the fact that the default Exchange self-signed certificate is also used to encrypt SMTP communication between internal Exchange servers.
    Is not that, by repalcing the default Exchange self-signed certificate, something gets broken? Is the official MS procedure linked above safe or is there something that should I be made aware of before continuing this way?
    Thank you,
    Francesco

    • Hi Francesco,

      Are you referring to this bit?

      Although you can use a separate certificate for IMAP4, we recommend that you use the same certificate as the other Exchange IIS (HTTP) services, which is likely a wildcard certificate or a subject alternative name (SAN) certificate from a commercial certification authority that's automatically trusted by all clients. For more information, see Certificate requirements for Exchange services.

      You can have the namespace used for the IMAP namespace in that SAN cert, or it can be on a separate cert. Ideally all of your CAS namespaces are on a single cert, but that is still separate from overwriting the default SMTP cert that is bound to SMTP.

      The overwriting consideration is due to issues I've had with Edge subscriptions etc.
      Cheers,
      Rhoderick

  4. Hello Rhoderick,
    We have both default certificates (Microsoft Exchange Server Auth Certificate and Microsoft Exchange) plus our own Digicert wildcard certificate assigned to SMTP. We have a single customer who when we try to email, the emails sit in the outbound queue with a 454 4.7.0 Invalid client certificate error. Could this any way be caused by TLS selecting one of the default certificates for encryption versus our wildcard? Running on-prem Exchange 2016. Thanks!

  5. I have seen this with folks that overwrote one or more Exchange mailbox servers with 3rd party certificate and the next hop is Edge. This is another reason I tell every customer to never replace the default internal transport certificate... plus it gives you 5 years instead of the 1 year standard we see today. I would have your customer rebuild the Edge Subscription and that should do the trick if Edge was next hop. If not turn on verbose logging for your send connectors to see your target and thumbprint that the TLS negation is failing on.

  6. Hello Rhoderick
    I'm looking for a way to check for default SMTP certificate on the Edge servers.Nobody has any info on that.

    I found how to check for default SMTP certificate on the mailbox servers as they do live in AD, but Edge servers do not

    below is a sample code for mailboxservers, but nothing for Edge servers
    DO you know how to check for this inforrmation on Edge servers?

    $ExchangeServers = (Get-ExchangeServer |Where-Object {$_.ServerRole -like "mailbox"} )| Select-Object Name,DistinguishedName
    $Results = @()
    #Process Information
    ForEach($Server in $ExchangeServers){
    $TransportCert = (Get-ADObject -Identity $Server.DistinguishedName -Properties *).msExchServerInternalTLSCert
    $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $CertBlob = [System.Convert]::ToBase64String($TransportCert)
    $Cert.Import([Convert]::FromBase64String($CertBlob))
    $server | Add-Member -MemberType NoteProperty -Name DefaultTLSCertSubject -Value $Cert.Subject
    $server | Add-Member -MemberType NoteProperty -Name DefaultTLSCertFriendlyName -Value $Cert.FriendlyName
    $server | Add-Member -MemberType NoteProperty -Name DefaultTLSCertThumbprint -Value $Cert.Thumbprint
    $server | Add-Member -MemberType NoteProperty -Name DefaultTLSCertExpireDate -Value $Cert.NotAfter
    $Results += $Server
    }

    #Show result
    #$Results | Out-GridView
    $Results

Leave a Reply to Chris Cancel reply

Your email address will not be published. Required fields are marked *