Tuesday 1 August 2017

Exchange: ERROR: The internal transport certificate cannot be removed... FIX

We recently renewed an Exchange server's trusted certificate.

When we went to remove the old certificate in EAC we received the following error:

A special Rpc error occurs on server SERVERNAME: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop.
To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. you can then remove the existing certificate.
Searching turned up a lot of suggestions to just delete the old certificate in the Personal certificates store. Somehow, that did not strike as being the correct methodology since the error makes it clear that the old certificate is still in use.

The proper methodology is to run the following PowerShell in the Exchange Shell to create and bind a new self-issued certificate. Since the certificate is bound to internal services there are no trust issues as indicated by the error message.

New-ExchangeCertificate -IncludeServerFQDN -IncludeServerNetBIOSName -Confirm:$False

The result would be something like this:

Once the command has completed we were able to delete the expired third party certificate in EAC.

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book
Our Cloud Service
Twitter: @MPECSInc

No comments: