Certificate and TLS/Connector Practices

Role of Certificates in Exchange

Exchange Server uses certificates to protect the following communications:

Client Access: Outlook, OWA, ActiveSync, EWS
SMTP Transport: TLS encrypted mail transport
Hybrid Connection: OAuth/TLS connections with Microsoft 365
Federation: Cross-organization federation trust

Certificate Type Selection

Commercial Certificate vs. Self-Signed Certificate

Type	Advantages	Disadvantages	Use Case
Commercial Certificate	Trusted, SAN support	Cost	Production environment
Self-Signed Certificate	Free	Requires manual trust	Test environment

SAN (Subject Alternative Name) Planning

Typical Exchange SAN Certificate Requirements:

Subject: mail.contoso.com
SAN:
  - mail.contoso.com
  - autodiscover.contoso.com
  - outlook.contoso.com (optional)

Best Practice

Avoid using wildcard certificates (*.contoso.com) in Exchange, as some services may not support them.

Replacing Send Connector Certificate

Scenario

Your Send Connector's certificate is expiring and needs to be replaced with a new certificate.

Steps

1. Check Existing Send Connector Configuration

# List all Send Connectors
Get-SendConnector | Select-Object Name, TlsCertificateName, Enabled

# Example output:
# Name                  TlsCertificateName                                      Enabled
# ----                  ------------------                                      -------
# Outbound to Office 365 <I>CN=Go Daddy...<S>CN=mail.contoso.com</S>          True

2. View Existing Certificate

# List all Exchange certificates
Get-ExchangeCertificate | Format-List FriendlyName, Subject, Thumbprint, NotAfter, Services

# Example:
# FriendlyName : Contoso Mail Certificate
# Subject      : CN=mail.contoso.com, O=Contoso, L=Taipei, S=Taiwan, C=TW
# Thumbprint   : 1A2B3C4D5E6F7G8H9I0J1K2L3M4N5O6P7Q8R9S0T
# NotAfter     : 2025-12-31 23:59:59
# Services     : SMTP, IIS

3. Import New Certificate

# Import certificate from PFX file
$certPassword = Read-Host "Enter PFX password" -AsSecureString
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Certs\new-cert.pfx" -Encoding byte -ReadCount 0)) -Password $certPassword

# Enable SMTP service on the new certificate
Enable-ExchangeCertificate -Thumbprint <NEW_THUMBPRINT> -Services SMTP -Force

4. Update Send Connector

Important: TlsCertificateName format must be exact

# Get the exact Issuer and Subject from the new certificate
$cert = Get-ExchangeCertificate -Thumbprint <NEW_THUMBPRINT>
$issuer = $cert.Issuer
$subject = $cert.Subject

# Construct TlsCertificateName
$TLSCertName = "<I>$issuer<S>$subject</S>"

# Update Send Connector
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $TLSCertName

# Verify
Get-SendConnector "Outbound to Office 365" | Select-Object Name, TlsCertificateName

Common Error

TlsCertificateName format must be <I>Issuer</I><S>Subject</S>. An extra space or missing character will cause configuration failure.

5. Restart Transport Services

# Restart transport services to apply changes
Restart-Service MSExchangeTransport
Restart-Service MSExchangeFrontEndTransport

6. Verify Mail Flow

# Test mail flow
Send-MailMessage -From test@contoso.com -To external@example.com -Subject "Test" -Body "Testing new certificate" -SmtpServer mail.contoso.com

# Check transport logs
Get-TransportService | Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) -Sender test@contoso.com

Receive Connector TLS Configuration

View Receive Connector Certificate Binding

# List Receive Connectors
Get-ReceiveConnector | Select-Object Name, Server, Bindings, AuthMechanism, RequireTLS

# Check certificate binding on IIS (for Client Access)
Get-WebBinding -Protocol https

Enforce TLS

# Require TLS for specific connector
Set-ReceiveConnector "Inbound from Partners" -RequireTLS $true -TlsDomainCapabilities "partner.com:AcceptCloudServicesMail"

Hybrid Deployment Certificate Considerations

HCW (Hybrid Configuration Wizard) and Certificates

When you run HCW, it will:

Check if on-premises Exchange certificates are valid
Create Send Connector and specify certificate
Configure Receive Connector to accept TLS connections from M365

Re-run HCW After Certificate Replacement

# After certificate renewal, consider re-running HCW to update cloud-side trust
# Download latest HCW from: https://aka.ms/hybridwizard

Important

After certificate replacement, it's recommended to re-run HCW to ensure the trust relationship on the M365 side is synchronized.

Common Errors and Troubleshooting

1. Cannot Find `-ApplicationIdentifier` Parameter

Error Message:

A parameter cannot be found that matches parameter name 'ApplicationIdentifier'.

Cause:

HCW version and Exchange Server CU version mismatch
Exchange Management Shell module is outdated

Solution:

# 1. 升級 Exchange 到最新 CU
# 2. 下載最新版 HCW
# 3. 重新啟動 PowerShell 並重新載入模組
Remove-PSSession $Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ex01.contoso.com/PowerShell/
Import-PSSession $Session

2. TLS Handshake Failed

Error Message (in message tracking):

450 4.4.101 Proxy session setup failed on Frontend with '451 4.4.0 Primary target IP address responded with: "451 5.7.3 STARTTLS is required to send mail"'

Troubleshooting Steps:

# 1. Verify certificate binding
Get-ExchangeCertificate | Where-Object {$_.Services -match "SMTP"}

# 2. Check connector TLS settings
Get-SendConnector | Format-List Name, RequireTLS, TlsAuthLevel, TlsCertificateName

# 3. Test TLS connection manually
Test-NetConnection -ComputerName mail.contoso.com -Port 25

3. Incomplete Certificate Chain

Symptoms:

External mail servers report certificate validation failures
SSL Labs test shows "Chain issues"

Solution:

# Ensure intermediate certificates are included when importing
# 1. Download full chain from CA (Root + Intermediate + Server)
# 2. Import with full chain:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Certs\fullchain.pfx" -Encoding byte -ReadCount 0)) -Password $certPassword

Automated Certificate Renewal

Using Let's Encrypt (Advanced)

Note

Let's Encrypt certificates are only valid for 90 days and require an automated renewal mechanism.

# Example using win-acme (https://www.win-acme.com/)
# This is a reference, actual implementation requires careful testing

# 1. Install win-acme
# 2. Configure for Exchange
wacs.exe --target manual --host mail.contoso.com --installation script --script "C:\Scripts\Import-ExchangeCert.ps1"

# 3. Import-ExchangeCert.ps1 content:
param($PfxPath, $PfxPassword)
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path $PfxPath -Encoding byte -ReadCount 0)) -Password (ConvertTo-SecureString $PfxPassword -AsPlainText -Force)
Enable-ExchangeCertificate -Thumbprint $newThumbprint -Services SMTP,IIS -Force
Restart-Service MSExchangeTransport, MSExchangeFrontEndTransport, W3SVC

Checklist

Before replacing certificates, verify:

New certificate includes all required SANs
Certificate validity is at least 1 year
Backup exported (including private key)
Validated in test environment
Maintenance window planned (service restarts)
Related teams notified
Rollback plan ready (keep old certificate)

Role of Certificates in Exchange​

Certificate Type Selection​

Commercial Certificate vs. Self-Signed Certificate​

SAN (Subject Alternative Name) Planning​

Replacing Send Connector Certificate​

Scenario​

Steps​

1. Check Existing Send Connector Configuration​

2. View Existing Certificate​

3. Import New Certificate​

4. Update Send Connector​

5. Restart Transport Services​

6. Verify Mail Flow​

Receive Connector TLS Configuration​

View Receive Connector Certificate Binding​

Enforce TLS​

Hybrid Deployment Certificate Considerations​

HCW (Hybrid Configuration Wizard) and Certificates​

Re-run HCW After Certificate Replacement​

Common Errors and Troubleshooting​

1. Cannot Find -ApplicationIdentifier Parameter​

2. TLS Handshake Failed​

3. Incomplete Certificate Chain​

Automated Certificate Renewal​

Using Let's Encrypt (Advanced)​

Checklist​

Related Links​