Certificate and TLS/Connector Practices
Role of Certificates in Exchange
Exchange Server uses certificates to protect the following communications:
- Client Access: Outlook, OWA, ActiveSync, EWS
- SMTP Transport: TLS encrypted mail transport
- Hybrid Connection: OAuth/TLS connections with Microsoft 365
- Federation: Cross-organization federation trust
Certificate Type Selection
Commercial Certificate vs. Self-Signed Certificate
| Type | Advantages | Disadvantages | Use Case |
|---|---|---|---|
| Commercial Certificate | Trusted, SAN support | Cost | Production environment |
| Self-Signed Certificate | Free | Requires manual trust | Test environment |
SAN (Subject Alternative Name) Planning
Typical Exchange SAN Certificate Requirements:
Subject: mail.contoso.com
SAN:
- mail.contoso.com
- autodiscover.contoso.com
- outlook.contoso.com (optional)
Best Practice
Avoid using wildcard certificates (*.contoso.com) in Exchange, as some services may not support them.
Replacing Send Connector Certificate
Scenario
Your Send Connector's certificate is expiring and needs to be replaced with a new certificate.
Steps
1. Check Existing Send Connector Configuration
# List all Send Connectors
Get-SendConnector | Select-Object Name, TlsCertificateName, Enabled
# Example output:
# Name TlsCertificateName Enabled
# ---- ------------------ -------
# Outbound to Office 365 <I>CN=Go Daddy...<S>CN=mail.contoso.com</S> True
2. View Existing Certificate
# List all Exchange certificates
Get-ExchangeCertificate | Format-List FriendlyName, Subject, Thumbprint, NotAfter, Services
# Example:
# FriendlyName : Contoso Mail Certificate
# Subject : CN=mail.contoso.com, O=Contoso, L=Taipei, S=Taiwan, C=TW
# Thumbprint : 1A2B3C4D5E6F7G8H9I0J1K2L3M4N5O6P7Q8R9S0T
# NotAfter : 2025-12-31 23:59:59
# Services : SMTP, IIS
3. Import New Certificate
# Import certificate from PFX file
$certPassword = Read-Host "Enter PFX password" -AsSecureString
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Certs\new-cert.pfx" -Encoding byte -ReadCount 0)) -Password $certPassword
# Enable SMTP service on the new certificate
Enable-ExchangeCertificate -Thumbprint <NEW_THUMBPRINT> -Services SMTP -Force
4. Update Send Connector
Important: TlsCertificateName format must be exact
# Get the exact Issuer and Subject from the new certificate
$cert = Get-ExchangeCertificate -Thumbprint <NEW_THUMBPRINT>
$issuer = $cert.Issuer
$subject = $cert.Subject
# Construct TlsCertificateName
$TLSCertName = "<I>$issuer<S>$subject</S>"
# Update Send Connector
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $TLSCertName
# Verify
Get-SendConnector "Outbound to Office 365" | Select-Object Name, TlsCertificateName
Common Error
TlsCertificateName format must be <I>Issuer</I><S>Subject</S>. An extra space or missing character will cause configuration failure.
5. Restart Transport Services
# Restart transport services to apply changes
Restart-Service MSExchangeTransport
Restart-Service MSExchangeFrontEndTransport
6. Verify Mail Flow
# Test mail flow
Send-MailMessage -From test@contoso.com -To external@example.com -Subject "Test" -Body "Testing new certificate" -SmtpServer mail.contoso.com
# Check transport logs
Get-TransportService | Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) -Sender test@contoso.com
Receive Connector TLS Configuration
View Receive Connector Certificate Binding
# List Receive Connectors
Get-ReceiveConnector | Select-Object Name, Server, Bindings, AuthMechanism, RequireTLS
# Check certificate binding on IIS (for Client Access)
Get-WebBinding -Protocol https
Enforce TLS
# Require TLS for specific connector
Set-ReceiveConnector "Inbound from Partners" -RequireTLS $true -TlsDomainCapabilities "partner.com:AcceptCloudServicesMail"
Hybrid Deployment Certificate Considerations
HCW (Hybrid Configuration Wizard) and Certificates
When you run HCW, it will:
- Check if on-premises Exchange certificates are valid
- Create Send Connector and specify certificate
- Configure Receive Connector to accept TLS connections from M365
Re-run HCW After Certificate Replacement
# After certificate renewal, consider re-running HCW to update cloud-side trust
# Download latest HCW from: https://aka.ms/hybridwizard
Important
After certificate replacement, it's recommended to re-run HCW to ensure the trust relationship on the M365 side is synchronized.
Common Errors and Troubleshooting
1. Cannot Find -ApplicationIdentifier Parameter
Error Message:
A parameter cannot be found that matches parameter name 'ApplicationIdentifier'.
Cause:
- HCW version and Exchange Server CU version mismatch
- Exchange Management Shell module is outdated
Solution:
# 1. 升級 Exchange 到最新 CU
# 2. 下載最新版 HCW
# 3. 重新啟動 PowerShell 並重新載入模組
Remove-PSSession $Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ex01.contoso.com/PowerShell/
Import-PSSession $Session
2. TLS Handshake Failed
Error Message (in message tracking):
450 4.4.101 Proxy session setup failed on Frontend with '451 4.4.0 Primary target IP address responded with: "451 5.7.3 STARTTLS is required to send mail"'
Troubleshooting Steps:
# 1. Verify certificate binding
Get-ExchangeCertificate | Where-Object {$_.Services -match "SMTP"}
# 2. Check connector TLS settings
Get-SendConnector | Format-List Name, RequireTLS, TlsAuthLevel, TlsCertificateName
# 3. Test TLS connection manually
Test-NetConnection -ComputerName mail.contoso.com -Port 25
3. Incomplete Certificate Chain
Symptoms:
- External mail servers report certificate validation failures
- SSL Labs test shows "Chain issues"
Solution:
# Ensure intermediate certificates are included when importing
# 1. Download full chain from CA (Root + Intermediate + Server)
# 2. Import with full chain:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Certs\fullchain.pfx" -Encoding byte -ReadCount 0)) -Password $certPassword
Automated Certificate Renewal
Using Let's Encrypt (Advanced)
Note
Let's Encrypt certificates are only valid for 90 days and require an automated renewal mechanism.
# Example using win-acme (https://www.win-acme.com/)
# This is a reference, actual implementation requires careful testing
# 1. Install win-acme
# 2. Configure for Exchange
wacs.exe --target manual --host mail.contoso.com --installation script --script "C:\Scripts\Import-ExchangeCert.ps1"
# 3. Import-ExchangeCert.ps1 content:
param($PfxPath, $PfxPassword)
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path $PfxPath -Encoding byte -ReadCount 0)) -Password (ConvertTo-SecureString $PfxPassword -AsPlainText -Force)
Enable-ExchangeCertificate -Thumbprint $newThumbprint -Services SMTP,IIS -Force
Restart-Service MSExchangeTransport, MSExchangeFrontEndTransport, W3SVC
Checklist
Before replacing certificates, verify:
- New certificate includes all required SANs
- Certificate validity is at least 1 year
- Backup exported (including private key)
- Validated in test environment
- Maintenance window planned (service restarts)
- Related teams notified
- Rollback plan ready (keep old certificate)