Exchange: Replacing certificate for Microsoft 365 hybrid connector’s

When certificates needs to be renewed or changed on (on-premise) Exchange server’s, and you have Microsoft 365 hybrid setup though Hybrid Configuration Wizard, a Office 365 connecter is setup as send and receive:

Receive:

Send:

If you try to delete the old certificate, without setting the new cert for the connectors, you will get this in ECP:

“A special Rpc error occurs on server EXCH01: These certificates are tagged with following Send Connectors : Outbound to Office 365. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.”

So we need to move into Powershell and replace it, because it cannot be done through the ECP:

  • Get the thumprint for the new cert:
    Get-ExchangeCertificate

    So here it is, the top level cert, it’s a wildcard cert, thus the “*.” in the subject name, sorry for the maskings, this is from a non-lab environment 🙂
    Copy the thumprint to notepad for next command.
  • Read the certificate subject and thumprint into a variable:
    $cert = Get-ExchangeCertificate -Thumbprint <paste the thumbprint in here from previous command>
    $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" - Do not change anything here!
  • The replace the connectors:
    Send Connector –

    Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

    Receive Connector –

    Set-ReceiveConnector "EXCH01\Default Frontend EXCH01" -TlsCertificateName $tlscertificatename

    Note: replace the word “EXCH01” with the name of your Exchangeserver like "MY-EXCH01\Default Frontend MY-EXCH01"

  • Run IISRESET

Note that if you fail to replace your certificate before it expires (You forgot to), your mailflow between on-prem Excahnge and Exchange Online (365) will stop working and you will see this in the logs:

[Message=451 5.7.3 STARTTLS is required to send mail]

IMPORTANT:

You may run into “You get a blank page after logging in EAC or OWA in Exchange 2013 or Exchange 2016” or:

Read more about the fix: Exchange: An error occurred while using SSL configuration for endpoint 0.0.0.0:444 – martinsblog.dk

Source:

Replace SSL Certificate in Send Connector in Exchange Server (azure365pro.com)

 

9 Comments

  1. Kieran

    Thank you for this Martin, I spent 90 minutes this morning trying to put the issuer and subject CNs into commands as per the instructions on a similar guide, thankfully found yours before I escalated. You are a legend Sir, looking forward to reading through some of your other blog entries for helpul tips.

    Reply
    1. Martin (Post author)

      Thanks a lot Kieran! 🙂

      Best regards
      Martin

      Reply
  2. R

    So I spent ages beating my head on a wall before we got ours working. If the cert you replace has the same issuer and subject name, for some reason it’s apparently not clever enough to remove the old and you end up with some hybrid of the two. Doesn’t matter that you did it by thumbprint, anyway. Mail flow never stopped working for us, but even after running the commands it still wouldn’t let me delete the old cert because it thought it was still assigned. There’s a comment on OP’s source link from someone who fixed it by temporarily assigning a random cert to the send connectors, deleting the old cert, then assigning the correct cert. You’ll lose mail flow for a few minutes but I can confirm that doing that works fine.

    Reply
    1. Martin (Post author)

      Hi, I normally assign the selv-signed cert temporarily if that happens, delete the old cert and the assign the new one 🙂

      Regards Martin

      Reply
  3. Jurandir

    Unbelievable man, you’re the best.

    I’ve almost rerun Hybrid Configuration Wizard because we renewed certificate of our on premises server but conectors didnt work anymore. With Strange DNS errors. However stopped in the same day of old expired certificate.

    Thanks from Brazil!

    Your blog was saved in my Bookmarks.

    Unbelievable man, you’re the best.

    I’ve almost re-run Hybrid Configuration Wizard because we renewed certificate of our on premises server but conectors didnt work anymore. With Strange DNS errors. However stopped in the same day of old expired certificate.

    Thanks from Brazil!

    Your blog was saved in my Bookmarks.

    Reply
    1. Martin (Post author)

      Thanks for this Jurandir 🙂

      Best regards Martin

      Reply
  4. David

    For anyone having issues getting the thumbprint of a new cert because the name is the same you can run this command to get the full details:

    get-exchangecertificate | format-list

    Reply
  5. George

    The last cmdlet misses an “e”: $tlscertificatenam

    Reply
    1. Martin (Post author)

      Updated, thanks for pointing it out 🙂

      best regards
      Martin

      Reply

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close