Saturday, May 8, 2021
Home Exchange Certificates Updating Connectors with New SSL Certificate

Updating Connectors with New SSL Certificate

When you update your SSL certificate on your Exchange Servers it is also a necessary action to update both the Send and Received Connectors that have bindings. If this is not performed, then firstly you won’t be able to delete the old certificate as it is bound to the connector but more importantly, and certainly in a Hybrid scenario, you can break mail flow if the server that is sending requires validation of a TLS connection.

The good news is that it is an easy task to do. Follow these PowerShell steps to do this.

Get the Thumbprint of the certificate you need to apply to the connector.

get-exchangecertificate | ft

Then you can use that in the following command

$cert = get-exchangecertificate -thumbprint XX
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

This will setup the $tlscertificatename with the details needed to apply to the connectors.

Then use the following PowerShell to apply the certificate to both the Send and Receive Connectors. Obviously you will need to edit those commands with the actual connector names.

Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

Set-ReceiveConnector "EXCHANGESERVER\Default Frontend EXCHANGESERVER" -TlsCertificateName $tlscertificatename

Once this is done you are able to delete any old certificates that you may have. Note that there is no need to restart any services as they will take effect immediately.


When renewing certificates it is quite common for the name of the certificate to stay the same. That means that when you update the certificate on the send connector it will say that no updates have been made. But you still can’t delete the old certificate because it thinks it is applied to the Send Connector.

To fix this, just set the certificate that is assigned to the Send Connector to NULL. Use this command.

Set-SendConnector "Outbound to Office 365" -TlsCertificateName $NULL

Then you can remove the old certificate. After which you can just apply the correct certificate to the Send Connector.

Mark Rochester
Mark currently works in the cloud space assisting large companies to migrate from either on premises to the cloud, or cloud to cloud. His experience with Enterprise migrations spans more than 25 years which basically makes him old. However, with all the oldness creeping up he still finds technology massively exciting. Please reach out for a chat anytime you would like. 🙂

Most Popular

Recent Comments